我可以在.NET中的不同Active Directory域中模拟用户吗? [英] Can I impersonate a user on a different Active Directory domain in .NET?
问题描述
我有两个Active Directory域A和B.域A中的用户需要在其桌面上运行应用程序以查看和操作位于域B中的服务器上的资源。每个用户在域B中都有一个帐户。是否可以模拟每个用户的域B身份,以便以编程方式对域B资源执行操作?
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
示例工作流程:
- 用户登录到域A。
- 用户启动桌面应用程序。
- 用户指定域B中的资源
- 应用程序会模拟用户的域B身份以访问指定的资源。
- 应用程序会提示用户输入域B凭据。
- 用户使用应用程序操纵域B资源。
- User logs in to domain A.
- User launches desktop application.
- User specifies resource in domain B.
- Application prompts user for domain B credentials.
- Application impersonates user's domain B identity to access specified resource.
- User manipulates domain B resource using application.
推荐答案
在Win32 API,但我很确定你可以p /调用这些从.NET。检查 http://pinvoke.net 。
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
您需要调用LogonUser API以创建表示用户的域B凭据的访问令牌。
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
然后调用ImpersonateLoggedOnUser传递访问令牌。调用线程将模拟域B凭据,直到你模拟一组不同的凭据或调用RevertToSelf API。
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
我猜,对于LogonUser调用要成功,您正在运行的计算机将需要信任域B。
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
这篇关于我可以在.NET中的不同Active Directory域中模拟用户吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!