我有一个Web应用程序,我有一个登录页面 . 如何对活动目录用户进行身份验证?
截至目前,我能够从活动目录中获取一些属性,最后我能够使用LDAP字符串与AD进行通信 . 我知道无法从AD中提取密码并根据用户输入的密码进行身份验证!!
有没有办法可以对活动目录用户进行身份验证?
到目前为止,这是我的代码
public class Userdetails
{
public static string ADPath = ConfigurationManager.AppSettings.Get(“ADPath”); // Get the ADAM Path from web config fiel
public static string ADUser = ConfigurationManager.AppSettings.Get(“ADUser”); //ADAM Administrator
public static string ADPassword = ConfigurationManager.AppSettings.Get(“ADPassword”); //ADAM Administrator password
public static DirectoryEntry GetUserDetails(string userID)
{
AuthenticationTypes AuthTypes; // Authentication flags.
// Set authentication flags.
// For non-secure connection, use LDAP port and
// ADS_USE_SIGNING |
// ADS_USE_SEALING |
// ADS_SECURE_AUTHENTICATION
// For secure connection, use SSL port and
// ADS_USE_SSL | ADS_SECURE_AUTHENTICATION
AuthTypes = AuthenticationTypes.Signing |
AuthenticationTypes.Sealing |
AuthenticationTypes.Secure;
DirectoryEntry De = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthTypes);
DirectorySearcher Ds = new DirectorySearcher(De);
SearchResult Sr;
Ds.SearchScope = SearchScope.Subtree;
Ds.Filter = “(&(objectclass=*)(cn= ” + userID + “))”;
Sr = Ds.FindOne();
if (!(Sr == null))
{
De = new DirectoryEntry(Sr.Path, ADUser, ADPassword, AuthTypes);
return De;
}
else
{
return null;
}
}
3 回答
如果您只对AD进行身份验证而不必执行其他AD特定操作,为什么不坚持内置
ActiveDirectoryMembershipProvider
而不是编写自定义代码?请看一下:
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
http://msdn.microsoft.com/en-us/library/bb299745.aspx
http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx
http://msdn.microsoft.com/en-us/magazine/cc135979.aspx
使用密码创建新的DirectoryEntry并将其与DirectorySearcher一起使用将验证密码并在失败时抛出异常 . 一个重要的例外是空/空密码 . 大多数LDAP服务器(我认为包含AD)将忽略密码参数,如果它为null或为空 . 所以你应该先测试一下 .
Old MSDN sample