問題描述

我嘗試從我的機??器驗證屬于遠程 ActiveDirectory 的用戶，這與當前機器或用戶域不同.我的機器和遠程 ActiveDirectory 機器之間將不存在信任.

初步嘗試

我嘗試對用戶進行身份驗證(輸入:sAMAccountName、機器的 ipaddress、機器的域用戶名(管理員")和機器的密碼(***).能夠得到具有 'sAMAccountName' 的用戶確實存在于 ActiveDirectory 中的結果.

我的要求:

1. 假設已經在 ActiveDirectory 中創建了一個用戶(qwerty")

2. 從我的本地機器，我將獲得以下信息，

   一個.遠程 ActiveDirectory ipaddress

   B.遠程 ActiveDirectory 計算機的用戶名和密碼.

   c.用戶qwerty"的用戶名和密碼

3. 我需要檢查遠程 ActiveDirectory 的用戶列表中是否存在用戶qwerty"，并驗證輸入的 密碼 在 ActiveDirectory 的用戶列表中是否相同

我嘗試過的代碼:

 DirectoryEntry entry = new DirectoryEntry("LDAP://ipaddress/DC=dinesh,DC=com", name, password);DirectorySearcher searcher = new DirectorySearcher(entry);searcher.Filter = "(sAMAccountName=" + 姓名 + ")";嘗試{SearchResult adsSearchResult = adsSearcher.FindOne();isValid = true;adsEntry.Close();}捕獲(異常前){adsEntry.Close();}

在驗證遠程 ActiveDirectory 中的用戶之前，我是否需要在本地計算機和遠程 ActiveDirectory 計算機之間建立信任?如果是，請告訴如何做到；

創建信任后，如何驗證用戶?

============================================================================

我可以使用 Rainer 建議的解決方案，但遇到了一個新問題.當我通過不同機器上的 C# 代碼創建新用戶時，某些屬性設置不正確.

是否需要在創建用戶時強制設置?

首先是一些基礎知識(獨立于這個問題)

身份驗證

系統會檢查 Bob 是否真的是 Bob.在 Active Directory 環境中，這通常是通過從工作站登錄域來完成的，Bob 輸入他的用戶名和密碼，然后他獲得 Kerberos 票證.稍后，如果他想訪問例如遠程文件服務器上的文件共享，他不再需要登錄，無需輸入用戶名/密碼即可訪問文件.

授權

系統檢查允許 Bob 訪問哪些資源.通常Bob在域組中，一個組在資源的ACL(訪問控制列表)中.

如果有多個信任域，Bob 需要在一個域中登錄，并且可以訪問所有其他域中的資源.這是使用 Active Directory 的主要原因之一:單點登錄

檢查用戶/密碼是否有效

如果您有用戶名和密碼并想檢查密碼是否有效，則必須登錄域.沒有辦法僅僅檢查密碼是否正確".登錄是指:如果有安全策略如果超過 3 次無效登錄，則鎖定帳戶"，即使您只想檢查用戶+密碼"，檢查錯誤密碼也會鎖定帳戶.

使用 .NET 目錄服務功能

我在這里假設該進程要么由人類帳戶作為普通程序運行，要么該程序是 Windows 服務或在域技術用戶"帳戶下運行的計劃任務.在這種情況下，您無需提供使用 AD 功能的憑據.如果訪問其他信任的 AD 域，也是如此.如果您想登錄到外域"，并且沒有信任，則需要提供用戶名+密碼(如您的代碼中所示).

手動"驗證用戶

通常不需要這樣做.示例:ASP.NET Intranet 使用情況.用戶訪問當前域或信任域上的 Web 應用程序，身份驗證由瀏覽器和 IIS在后臺"完成(如果集成的 Windows 身份驗證打開).所以你永遠不需要在應用程序中處理用戶密碼.

我沒有看到很多使用代碼處理密碼的用例.

有人可能認為您的程序是用于存儲緊急用戶帳戶/密碼的輔助工具.并且您想定期檢查這些帳戶是否有效.

這是一個簡單的檢查方法:

使用 System.DirectoryServices.AccountManagement;...主體上下文主體上下文 =新的 PrincipalContext(ContextType.Domain, "192.168.1.1");bool userValid = principalContext.ValidateCredentials(name, password);

還可以使用較舊的原始 ADSI 函數:

使用 System.DirectoryServices;....bool userOk = false;string realName = string.Empty;使用 (DirectoryEntry directoryEntry =new DirectoryEntry"LDAP://192.168.1.1/DC=ad,DC=local", name, password)){使用 (DirectorySearcher searcher = new DirectorySearcher(directoryEntry)){searcher.Filter = "(samaccountname=" + name + ")";searcher.PropertiesToLoad.Add("displayname");SearchResult adsSearchResult = searcher.FindOne();如果(adsSearchResult ！= null){if (adsSearchResult.Properties["displayname"].Count == 1){realName = (string)adsSearchResult.Properties["displayname"][0];}用戶確定 = 真；}}}

如果您的真正要求實際上是用戶+密碼的有效性檢查，您可以通過以下方式之一進行.

但是，如果是普通應用程序"，只想檢查輸入的憑據是否有效，則應該重新考慮您的邏輯.在這種情況下，您最好依靠 AD 的單點登錄功能.

如果還有什么問題，歡迎留言.

B.遠程 ActiveDirectory 計算機的用戶名和密碼.

這聽起來有點不清楚.我假設您的意思是遠程域中的用戶名和相應的密碼".

還有機器賬號的概念，就是主機名后加$.但那是另一個話題了.

創建新用戶

選項 1

using (DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://192.168.1.1/CN=Users,DC=ad,DC=local",姓名、密碼)){使用 (DirectoryEntry newUser = directoryEntry.Children.Add("CN=CharlesBarker", "user")){newUser.Properties["sAMAccountName"].Value = "CharlesBarker";newUser.Properties["givenName"].Value = "Charles";newUser.Properties["sn"].Value = "Barker";newUser.Properties["displayName"].Value = "CharlesBarker";newUser.Properties["userPrincipalName"].Value = "CharlesBarker";newUser.CommitChanges();}}

選項 2

using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, "192.168.1.1","CN=Users,DC=ad,DC=local", 姓名, 密碼)){使用 (UserPrincipal userPrincipal = new UserPrincipal(principalContext)){userPrincipal.Name = "CharlesBarker";userPrincipal.SamAccountName = "CharlesBarker";userPrincipal.GivenName = "查爾斯";userPrincipal.Surname = "巴克";userPrincipal.DisplayName = "CharlesBarker";userPrincipal.UserPrincipalName = "CharlesBarker";userPrincipal.Save();}}

我留給你一個練習，找出哪個屬性進入哪個用戶對話框輸入字段:-)

I try to authenticate users belonging to remote ActiveDirectory from my machine, which is not the same domain as the current machine or user domain. There will be no trust between my machine and remote ActiveDirectory machine.

Initial Try

I tried to authenticate a user(Input: sAMAccountName, machine's ipaddress, machine's domain username("Administrator") and machine's password(***). Able to get result that the user with 'sAMAccountName' do exist in ActiveDirectory.

My Requirement:

1. Imagine that already a user("qwerty") is created in ActiveDirectory

2. From my local machine, I will have the following information,

   a. Remote ActiveDirectory ipaddress

   b. Remote ActiveDirectory machine's username and password.

   c. Username and password of User "qwerty"

3. I need to check whether User "qwerty" is present in remote ActiveDirectory's users list and validate whether the password entered is same in ActiveDirectory's Users list

Code I tried:

        DirectoryEntry entry = new DirectoryEntry("LDAP://ipaddress/DC=dinesh,DC=com", name, password);
        DirectorySearcher searcher = new DirectorySearcher(entry);
        searcher.Filter = "(sAMAccountName=" + name + ")";

        try
        {
            SearchResult adsSearchResult = adsSearcher.FindOne();
            isValid = true;
            adsEntry.Close();
        }
        catch (Exception ex)
        {
            adsEntry.Close();
        }

Do I need to create a trust between local machine and remote ActiveDirectory machine before validating Users in a remote ActiveDirectory? If yes please tell how it can be done;

After creating trust, how can I validate Users?

===========================================================================

I am able to use the solution suggested by Rainer, but with a new problem. When I create a new user via C# code from a different machine, then some properties do not set properly.

Does this need to be set compulsorily while creating user?

First some basics (independent of this question)

Authentication

The system checks if Bob is really Bob. In an Active Directory environment, this is usually done with a domain login from the workstation, Bob enters his username and password, and he gets a Kerberos ticket. Later, if he wants to access e.g. a file share on a remote fileserver, he does not need to login anymore, and can access the files without entering username/password.

Authorization

The system checks which resources Bob is allowed to access. Usually Bob is in domain groups, and a group is in the ACL (access control list) of the resource.

If there are multiple trusting domains, Bob needs to login in one domain, and can access resources in all other domains. This is one of the main reasons using Active Directory: single sign on

Checking if user / password is valid

If you have a username and password and want to check if the password is valid, you have to do a login to the domain. There is no way of just "checking if the password is correct". Login means: if there is a security policy "lock account if more than 3 invalid logins", the account will be locked out checking with wrong password, even if you "only want to check the user+password".

Using .NET Directory Service functions

I assume here that the process is either run by a human account as a normal program, or the program is a Windows service or a scheduled task which runs under a domain "technical user" account. In this case, you do not need to provide credentials for using the AD functions. If accessing other trusting AD domains, this is also true. If you want to login to a "foreign domain", and there is no trust, you need to provide a username+password (as in your code).

"Manually" authenticating a user

Normally, this should not be needed. Example: ASP.NET intranet usage. The user access a web application on the current domain or trusting domain, the authentication is done "in the background" by browser and IIS (if integrated Windows authentication is on). So you never need to handle user passwords in the application.

I don’t see many use cases where a password is handled by code.

One may that your program is a helper tool for storing emergency user accounts/passwords. And you want to check periodically if these accounts are valid.

This is a simple way to check:

using System.DirectoryServices.AccountManagement;
...

PrincipalContext principalContext = 
     new PrincipalContext(ContextType.Domain, "192.168.1.1");

bool userValid = principalContext.ValidateCredentials(name, password);

One can also use the older, raw ADSI functions:

using System.DirectoryServices;
....

bool userOk = false;
string realName = string.Empty;

using (DirectoryEntry directoryEntry = 
   new DirectoryEntry"LDAP://192.168.1.1/DC=ad,DC=local", name, password))
{
    using (DirectorySearcher searcher = new DirectorySearcher(directoryEntry))
    {
        searcher.Filter = "(samaccountname=" + name + ")";
        searcher.PropertiesToLoad.Add("displayname");

        SearchResult adsSearchResult = searcher.FindOne();

        if (adsSearchResult != null)
        {
            if (adsSearchResult.Properties["displayname"].Count == 1)
            {   
                realName = (string)adsSearchResult.Properties["displayname"][0];
            }
            userOk = true;
        }
    }
}   

If your real requirement is actually a validity check of user+password, you can do it in one of these ways.

However, if it is a "normal application", which just wants to check if the entered credentials are valid, you should rethink your logic. In this case, you better should rely on the single sign on capabilities of AD.

If there are further questions, please comment.

b. Remote ActiveDirectory machine's username and password.

This sounds a bit unclear. I assume you mean "a username and corresponding password in the remote domain".

There is also the concept of a machine account, which is the hostname appended with $. But that's another topic.

Creating new user

Option 1

using (DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://192.168.1.1/CN=Users,DC=ad,DC=local", 
        name, password))
{
    using (DirectoryEntry newUser = directoryEntry.Children.Add("CN=CharlesBarker", "user"))
    {
        newUser.Properties["sAMAccountName"].Value = "CharlesBarker";
        newUser.Properties["givenName"].Value = "Charles";
        newUser.Properties["sn"].Value = "Barker";
        newUser.Properties["displayName"].Value = "CharlesBarker";
        newUser.Properties["userPrincipalName"].Value = "CharlesBarker";
        newUser.CommitChanges();
    }
}

Option 2

using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, "192.168.1.1", 
    "CN=Users,DC=ad,DC=local", name, password))
{
    using (UserPrincipal userPrincipal = new UserPrincipal(principalContext))
    {
        userPrincipal.Name = "CharlesBarker";
        userPrincipal.SamAccountName = "CharlesBarker";
        userPrincipal.GivenName = "Charles";
        userPrincipal.Surname = "Barker";
        userPrincipal.DisplayName = "CharlesBarker";
        userPrincipal.UserPrincipalName = "CharlesBarker";
        userPrincipal.Save();
    }
}

I leave as an exercise to you to find out which attribute goes into which User dialog entry field :-)

這篇關于在 C# 中驗證遠程 Active Directory 的用戶的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！