使用Active Directory的客户端 - 服务器应用程序验证用户 [英] Authenticating users using Active Directory in Client-Server Application
问题描述
我被要求提供针对我们现有的客户端服务器应用程序的Active Directory验证用户的支持。
I've been asked to provide support for authenticating users against an Active Directory in our existing client server application.
目前的时刻,用户从客户机提供用户名和密码,越过导线(加密的),以我们的服务器进程,并将它们与存储在数据库中的用户名/密码。
At the moment a user supplies a user name and password from a client machine, passed over the wire (encrypted) to our server process and matched against a user name/password stored in a database.
起初,我认为这将是一个容易解决的问题,因为我可以简单地从我们的服务器进程验证对Active Directory中的用户名/密码。然而事实证明,用户不应该从我们的客户端应用程序输入密码,而不是把它的凭证将从目前的的Windows 的登录会话。
Initially, I thought this would be a easy problem to solve, since I could simply authenticate the users' name/password against Active Directory from our server process. However it turns out that users shouldn't have to enter a password from our client application, instead taking it's credentials from the current Windows login session.
我现在在面临着一个问题,如何进行身份验证使用Active Directory,而无需密码吗?我敢肯定,必须有某种方式传递某种象征性的一种方式客户我们可以用来作为一种替代验证方法,但我的研究至今已制定一个空白服务器进程。
I'm now faced with a problem of how to authenticate using Active Directory without having a password? I'm sure there must be a way of somehow passing some sort of "token" from the client to our server process that could be used as an alternative authentication method, but my research so far has drawn a blank.
我们的服务器是用C ++,所以我们将使用的win32 API 。我还打算开发和调试该使用运行Windows 2008 AD LDS <虚拟机/ A> - 我希望这将是足以让我想要实现
Our server is written in C++, so we'll be using the win32 API. I also intend to develop and debug this using a virtual machine running Windows 2008 AD LDS - I'm hoping this will be sufficient for what I'm trying to achieve.
任何帮助或建议是非常AP preciated。
Any help or advice is much appreciated.
推荐答案
您做一个NTLM / Kerberos的/协商的 SSPI交换回路。有两个在客户和MSDN AA上的全样本< A HREF =http://msdn.microsoft.com/en-us/library/aa380537%28VS.85%29.aspx>服务器。需要明确的是:你做的没有的使用任何类型的LDAP访问explictily。是LSA(本地安全机构),与LDAP会谈,并建立了客户端的身份。如果是成功的在做整个SSPI循环中,认证成功已经和客户身份的 alread 的验证根据LDAP。如果你的服务器需要知道客户的身份(例如,以了解使用RNAME)它检索它从安全上下文使用导致SSPI循环的<一href="http://msdn.microsoft.com/en-us/library/aa379328%28VS.85%29.aspx"><$c$c>QueryContextAttributes(..., SECPKG_ATTR_NAMES,...) 并检索从<一个用户名href="http://msdn.microsoft.com/en-us/library/aa380089%28VS.85%29.aspx"><$c$c>SecPkgContext_Names结构。
You do an NTLM/Kerberos/Negotiate SSPI exchange loop. There is a a full sample on MSDN for both the client and the server. To be clear: you do not use any sort of LDAP access explictily. Is the LSA (Local Security Authority) that talks with LDAP and establishes the identity of the client. If you are succesful in doing the entire SSPI loop, the authentication has succeeded already and the client identity is alread authenticated against the LDAP. If your server needs to know the client identity (eg. to know the use rname) it retrieves it from the security context resulted in the SSPI loop using the QueryContextAttributes(..., SECPKG_ATTR_NAMES,...) and retrieves the user name from the SecPkgContext_Names structure.
这篇关于使用Active Directory的客户端 - 服务器应用程序验证用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
