我可以在.NET中的不同Active Directory域中模拟用户吗？ [英] Can I impersonate a user on a different Active Directory domain in .NET?

问题描述

我有两个Active Directory域A和B.域A中的用户需要在其桌面上运行应用程序以查看和操作位于域B中的服务器上的资源。每个用户在域B中都有一个帐户。是否可以模拟每个用户的域B身份，以便以编程方式对域B资源执行操作？

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

示例工作流程：

1. 用户登录到域A。


2. 用户启动桌面应用程序。


3. 用户指定域B中的资源


4. 应用程序会模拟用户的域B身份以访问指定的资源。


5. 应用程序会提示用户输入域B凭据。
6. 用户使用应用程序操纵域B资源。

1. User logs in to domain A.
2. User launches desktop application.
3. User specifies resource in domain B.
4. Application prompts user for domain B credentials.
5. Application impersonates user's domain B identity to access specified resource.
6. User manipulates domain B resource using application.

推荐答案

在Win32 API，但我很确定你可以p /调用这些从.NET。检查 http://pinvoke.net 。

I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

您需要调用LogonUser API以创建表示用户的域B凭据的访问令牌。

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

然后调用ImpersonateLoggedOnUser传递访问令牌。调用线程将模拟域B凭据，直到你模拟一组不同的凭据或调用RevertToSelf API。

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

我猜，对于LogonUser调用要成功，您正在运行的计算机将需要信任域B。

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

这篇关于我可以在.NET中的不同Active Directory域中模拟用户吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！