自定义多因素Active Directory验证 [英] Custom Multi-factor Active Directory Authentication

问题描述

我会说，我不知道如果我想要什么措施能够真正开始。如果是这样的话，不要犹豫，告诉我，我是在做梦。

I'll start off by saying that I have no idea if what I want can actually be done. If that's the case, do not hesitate to tell me that I'm dreaming.

我要创建在C＃中的自定义Active Directory的身份验证。通过这一点，我的意思是，我想，只要有人登录，存储在AD密码首先检查，然后再验证的第二个步骤进行。只有当这两个步骤通过并获取用户登录。

I want to create a custom active directory "authenticator" in C#. By that, I mean, I would like that whenever someone logs in, their password stored in the AD is checked first, and then a second step of authentication is performed. Only if both steps pass does the user get to log in.

现在，我想上面是不是太牵强，提供我想要融入这个身份验证到定制产品，对不对？我是完全疯了也想知道，如果这个接入用户的时候，比如说，登录到Windows本身可以使用？或者，也许是pre-现有的产品，认证对AD？

Now, I imagine the above isn't too far fetched, providing I wanted to integrate this authenticator into a custom product, right?. Am I totally insane for also wondering if this authenticator can be used when, say, logging into Windows itself? Or perhaps a pre-existing product which authenticates against the AD?

如果我不是在做梦吧，会有人还知道有什么好文章/原料药，让我去？这些API不必是免费的，因为我舍得用一些现金来让物体移动得更快。

If I'm not dreaming, would anyone also know of any good articles/APIs to get me going? The APIs don't have to be free, as I'm willing to part with some cash to get things moving faster.

推荐答案

这是完全可行的。不过，我想指出，发出服务器绑定到Active Directory时，你检查所提供的用户名（通常是sAMAccountName赋），并在一次操作中输入的密码。有在C＃这样做的一些方法，但是很多人（包括我自己）都选择使用的System.DirectoryServices 和 System.DirectoryServices中。协议命名空间。

This is entirely feasible. However I'd like to note that, when issuing a server bind to Active Directory, you're checking the provided username (usually the sAMAccountName) and the password entered in one action. There are a few ways of doing this in C#, but many folks (including myself) have opted to use the System.DirectoryServices and System.DirectoryServices.Protocols namespace.

这就是我目前绑定用户到Active Directory，然后基于该方法的结果，我要么显示授权失败的原因，否则我让他们继续到应用程序中的帐户。

This is how I currently bind users to Active Directory, which then based on the result of this method, I either display the reason for authorization failure, or I allow them to continue on to their account within the application.

//Define your connection
LdapConnection ldapConnection = new LdapConnection("123.456.789.10:389");

try
{
      //Authenticate the username and password
      using (ldapConnection)
      {
          //Pass in the network creds, and the domain.
          var networkCredential = new NetworkCredential(Username, Password, Domain);
          //Since we're using unsecured port 389, set to false. If using port 636 over SSL, set this to true.
          ldapConnection.SessionOptions.SecureSocketLayer = false;
          ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
          //To force NTLM\Kerberos use AuthType.Negotiate, for non-TLS and unsecured, use AuthType.Basic
          ldapConnection.AuthType = AuthType.Basic;
          ldapConnection.Bind(networkCredential);
      }
      catch (LdapException ldapException)
      {
          //Authentication failed, exception will dictate why
      }
}

如果你想走得更远一步，检索属性有关该用户为好，<一个href="http://stackoverflow.com/questions/12911391/set-callback-for-system-directoryservices-directoryentry-to-handle-self-signed-s/13073365#13073365">check从这个线程这里。

If you'd like to go a step further and retrieve properties about this user as well, check out this thread here.

另外，我的高推荐Softerra的的LDAP浏览器来测试什么LDAP相关 - 这是一个美妙的产品，而且是免费的。您可以从这里下载。

Also, I highly recommend Softerra's LDAP Browser for testing anything LDAP related - it is a wonderful product, and it's free. You can download it from here.

希望这可以让你在正确的方向。

Hopefully that gets you going in the right direction.

这篇关于自定义多因素Active Directory验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！