如何从 Web 应用程序中的客户端计算机获取 AD 凭据? [英] How to grab AD credentials from client machine in a web application?

问题描述

是否可以从 Web 应用程序中获取客户端计算机上用户的活动目录凭据?

Is it possible to grab activedirectory credentials for the user on a client machine from within a web application?

澄清一下，我正在设计一个 Web 应用程序，它将托管在客户端的 Intranet 上.

To clarify, I am designing a web application which will be hosted on a client's intranet.

要求在访问应用程序时不提示应用程序的用户提供凭据，而是应自动获取登录到客户端计算机的用户的凭据，无需用户交互.

There is a requirement that the a user of the application not be prompted for credentials when accessing the application, and that instead the credentials of the user logged onto the client machine should be grabbed automatically, without user interaction.

推荐答案

绝对可以.这对于 Intranet 应用程序尤其有用.

Absolutely. This is especially useful for intranet applications.

由于您没有指定环境，我假设它是 .NET，但这当然不是唯一可能的方法.

Since you did not specify your environment, I'll assume it is .NET, but that isn't the only way possible of course.

可以使用 LDAP 轻松查询 Active Directory.如果您使用 .NET，您可以在 此代码示例 或者我下面的例子.您也可以在 SQL 环境也是如此.

Active Directory can be queried easily using LDAP. If you're using .NET, you can do something like in this code example or my example below. You can also do it within SQL environments as well.

如果您只需要 Windows 来处理身份验证，例如，您可以为 Windows 身份验证.请务必在 IIS 中为您的应用程序关闭匿名登录.完成后，您将能够访问用户的 Windows 登录名并使用它进行进一步的安全检查(例如，他们的 AD 中的组/角色成员资格).

If you just need Windows to handle authentication, you can set, for example, a .NET Web app up for Windows Authentication. Be sure to turn off Anonymous Logins within IIS for your application. Once done, you'll be able to access the user's Windows logon name and use it to make further security checks (for example, their group/role membership in AD).

您还可以使用 Enterprise Library 的 Security Application Block 之类的东西来简化整个混乱局面.

You can also simplify the whole mess using something like Enterprise Library's Security Application Block.

这是一个简短的 C# 示例:(转换为 VB.NET here)

Here is a short C# example: (convert to VB.NET here)

using System.DirectoryServices;

/// <summary>
/// Gets the email address, if defined, of a user from Active Directory.
/// </summary>
/// <param name="userid">The userid of the user in question.  Make
/// sure the domain has been stripped first!</param>
/// <returns>A string containing the user's email address, or null
/// if one was not defined or found.</returns>
public static string GetEmail(string userid)
{
    DirectorySearcher searcher;
    SearchResult result;
    string email;

    // Check first if there is a slash in the userid
    // If there is, domain has not been stripped
    if (!userid.Contains("\"))
    {
        searcher = new DirectorySearcher();
        searcher.Filter = String.Format("(SAMAccountName={0})", userid);
        searcher.PropertiesToLoad.Add("mail");
        result = searcher.FindOne();
        if (result != null)
        {
            email = result.Properties["mail"][0].ToString();
        }
    }

    return email;
}

您不必指定域控制器.为 DirectorySearcher 执行空/默认构造函数将导致它尝试自动查找一个 —事实上，这是首选方法.

You do not have to specify a domain controller. Performing the empty/default constructor for DirectorySearcher will cause it to attempt to look one up automatically — in fact, this is the preferred method.

这篇关于如何从 Web 应用程序中的客户端计算机获取 AD 凭据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！