首页 文章

针对活动目录中的用户进行身份验证?

提问于
浏览
3

我有一个Web应用程序,我有一个登录页面 . 如何对活动目录用户进行身份验证?

截至目前,我能够从活动目录中获取一些属性,最后我能够使用LDAP字符串与AD进行通信 . 我知道无法从AD中提取密码并根据用户输入的密码进行身份验证!!

有没有办法可以对活动目录用户进行身份验证?

到目前为止,这是我的代码

public class Userdetails
{
    public static string ADPath = ConfigurationManager.AppSettings.Get(“ADPath”); // Get the ADAM Path from web config fiel
    public static string ADUser = ConfigurationManager.AppSettings.Get(“ADUser”); //ADAM Administrator
    public static string ADPassword = ConfigurationManager.AppSettings.Get(“ADPassword”); //ADAM Administrator  password

public static DirectoryEntry GetUserDetails(string userID)
{
        AuthenticationTypes AuthTypes;  // Authentication flags.
        // Set authentication flags.
        // For non-secure connection, use LDAP port and
        //  ADS_USE_SIGNING |
        //  ADS_USE_SEALING |
        //  ADS_SECURE_AUTHENTICATION
        // For secure connection, use SSL port and
        //  ADS_USE_SSL | ADS_SECURE_AUTHENTICATION
        AuthTypes = AuthenticationTypes.Signing |
            AuthenticationTypes.Sealing |
            AuthenticationTypes.Secure;
        DirectoryEntry De = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthTypes);
    DirectorySearcher Ds = new DirectorySearcher(De);
    SearchResult Sr;
    Ds.SearchScope = SearchScope.Subtree;
    Ds.Filter = “(&(objectclass=*)(cn= ” + userID + “))”;
    Sr = Ds.FindOne();
    if (!(Sr == null))
    {
        De = new DirectoryEntry(Sr.Path, ADUser, ADPassword, AuthTypes);
        return De;
    }
    else
    {
        return null;
    }
}

3 回答

  • 7

    如果您只对AD进行身份验证而不必执行其他AD特定操作,为什么不坚持内置 ActiveDirectoryMembershipProvider 而不是编写自定义代码?

    请看一下:

    http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx

  • 1

    http://msdn.microsoft.com/en-us/library/bb299745.aspx

    http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx

    http://msdn.microsoft.com/en-us/magazine/cc135979.aspx

    public bool Validate(string username, string password)
        {
    
            //ex PrincipalContext principalContext = new PrincipalContext(ContextType.ApplicationDirectory,"sea-dc-02.fabrikam.com:50001","ou=ADAM Users,o=microsoft,c=us",ContextOptions.SecureSocketLayer | ContextOptions.SimpleBind,"CN=administrator,OU=ADAM Users,O=Microsoft,C=US","P@55w0rd0987");
    
            try
            {
                using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container, ContextOptions.Negotiate))
                {
                    return principalContext.ValidateCredentials(username, password);
                }
            }
            catch (PrincipalServerDownException)
            {
                Debug.WriteLine("PrimaryServer={0};Container={1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
                Debug.WriteLine("LDAP://{0}/{1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
                throw;
            }
    
  • 2

    使用密码创建新的DirectoryEntry并将其与DirectorySearcher一起使用将验证密码并在失败时抛出异常 . 一个重要的例外是空/空密码 . 大多数LDAP服务器(我认为包含AD)将忽略密码参数,如果它为null或为空 . 所以你应该先测试一下 .

    Old MSDN sample

相关问题