如何安全地确保当前用户属于 Active Directory 组? [英] How can I securely ensure the current user belongs to an Active Directory Group?
问题描述
我正在创建一个 C# Winform 应用程序,它将在公司域 (Windows Active Directory) 中使用.该应用程序的行为如下:
I am creating a C# Winform Application which will be used in a corporate domain (Windows Active Directory). The app is to behave as the following:
- 当用户打开应用程序时,应用程序会检查当前用户是否属于 Active Directory 组.
- 如果是,则该应用将允许用户使用该应用.
通过谷歌搜索,我找到了几种检查用户是否属于 Active Directory 组的方法.例如在这里的链接=>如何检查用户是否属于某个广告组?
From google searches, I found several ways how to check if a user is part of an Active Directory group. For example in the link here => How to check if a user belongs to an AD group?
我担心的是其中的安全部分.如果有人欺骗用户名和域怎么办.他无需知道密码即可访问该应用.
My concern is the security part of this. What if someone spoofs a username and domain. He won't need to know the password to allow access to the app.
推荐答案
不要查找.用户所属的每个组的 SID(递归地)是用户登录令牌的一部分.所以你可以只使用 WindowsPrincipal.IsInRole().如果您只有该组的名称,则可以给它:
Don't do a look up. The SID of every group the user is a member of (recursively) is part of the user's login token. So you can just use WindowsPrincipal.IsInRole(). If you only have the name of the group, you can give it that:
var currentUser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
currentUser.IsInRole("SomeGroup")
将名称翻译成 SID 并检查该 SID 的登录令牌.这需要网络请求.如果你可以给它组的 SID,那么你可以保存该网络请求:
That translates the name into the SID and checks the login token for that SID. That requires a network request. If you can give it the SID of the group instead, then you can save that network request:
var groupSid = new SecurityIdentifier("S-1-5-21-blah");
currentUser.IsInRole(groupSid)
这篇关于如何安全地确保当前用户属于 Active Directory 组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
