如何确定是否登录的Windows帐户已被认证域 [英] How to determine if logged on windows account has been authenticated on domain
问题描述
可能重复:
<一href="http://stackoverflow.com/questions/1337923/authenticating-users-using-active-directory-in-client-server-application">Authenticating使用Active Directory的客户端 - 服务器应用程序用户
我用托管C ++在尝试单点登录的方式在我的计划,并且需要判断当前Windows用户是我的域认证。如果我能找到一种方法来知道用户已通过验证,我让他到我的桌面应用程序,而不需要密码(用户名是我的应用程序和域一样)。
我可以对Active Directory直接验证使用的ADsOpenObject(),但是这需要用户名,密码,特权,我需要只使用用户名做到这一点,也没有来自用户的输入本人。
使用.NET,我可以用的东西从System.DirectoryServices中,像的这个线程。
据我调查的结果,这项任务可能包括分析Windows的安全Kerberos标记做正确。这是彻底的<一个讨论href="http://stackoverflow.com/questions/7111618/win32-how-to-validate-credentials-against-active-directory">this螺纹和<一上眼的Java href="http://stackoverflow.com/questions/545667/how-to-use-windows-login-for-single-sign-on-and-for-active-directory-entries-for">this线。虽然我并不需要严格的SSO,因为我的应用程序不会尝试访问任何有关的域。
时的SSPI售票方式的唯一途径,或者我可以利用ADSI / WinLogon的/ CredentialsCache的某些属性使它工作?
这是一个非常简单的方法,但如果你检查的环境变量用户:
在一个工作组:
COMPUTERNAME = JPBHPP2
LOGONSERVER = \\ JPBHPP2
USERDOMAIN = JPBHPP2
在一个域
COMPUTERNAME = WM2008R2ENT
LOGONSERVER = \\ WM2008R2ENT
USERDNSDOMAIN = DOM.FR
USERDOMAIN = DOM
这不是那么明显,因为用户loged的服务器,但 USERDOMAIN 是计算机名 <不同的/ P>
还有 GetUserNameEx API,它可以做的工作
布尔WINAPI GetUserNameEx(
一切变得EXTENDED_NAME_FORMAT NameFormat,
__out LPTSTR lpNameBuffer,
__inout PULONG lpnSize
);
Possible Duplicate:
Authenticating users using Active Directory in Client-Server Application
I'm attempting a single sign-on approach in my program using unmanaged C++, and need to determine if the current windows user is authenticated in my domain. If I can find a way to know that the user has been authenticated, I'll allow him into my desktop application without requiring a password (usernames are the same in my app and on domain).
I can authenticate directly against Active Directory using ADsOpenObject(), but that requires username, password and privileges, I need to do it only with a username, and no input from the user himself.
With .net I could use something from System.DirectoryServices, like in this thread.
As far as I've found out, this task may involve analyzing Windows security kerberos tokens to do properly. This was thoroughly discussed in this thread and touched upon for Java in this thread. Though I do not need strict SSO, since my app does not try to access anything related to domain.
Is the SSPI ticket way the only way, or can I exploit some property of ADSI/WinLogon/CredentialsCache to make it work?
This is a very simple way, but if you check the environment variables for the user :
On a Workgroup :
COMPUTERNAME=JPBHPP2
LOGONSERVER=\\JPBHPP2
USERDOMAIN=JPBHPP2
On a Domain
COMPUTERNAME=WM2008R2ENT
LOGONSERVER=\\WM2008R2ENT
USERDNSDOMAIN=DOM.FR
USERDOMAIN=DOM
Here it's not so evident because the user is loged on the server but the USERDOMAIN is different from COMPUTERNAME
There is also GetUserNameEx API that can do the job
BOOLEAN WINAPI GetUserNameEx(
__in EXTENDED_NAME_FORMAT NameFormat,
__out LPTSTR lpNameBuffer,
__inout PULONG lpnSize
);
这篇关于如何确定是否登录的Windows帐户已被认证域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
