无法让 .NET 应用程序跨域访问 AD 组
我有一个通过 ClickOnce 分发的 .NET 应用程序。 应用程序内的安全性是通过使用一组组作为资源的 WindowsPrincipal.IsInRole(GroupName) 方法来实现的。 对于与组位于同一域中的用户,这种结构非常适合我们。 不幸的是,我们现在有用户需要使用在计算机上运行的应用程序,并使用我们的域信任的不同域中的用户帐户,但不在同一个林中。
看来 IsInRole() 会查询本地计算机上的 AD 票证以获取组成员身份。 不幸的是,此票证仅包含计算机域的域本地组以及其他受信任域的全局和通用组,我们的组是第一个域中的域本地组。 第 22 条军规情况来自以下事实:AD 不允许在全局组或通用组中存在外部安全主体,因此,虽然第二个域中的用户可以查询它,但他们不能成为它的成员(这有点毫无意义! )
解释: 有两个域:DOM1 和 DOM2,它们之间存在信任设置,但它们不在同一个林中。
DOM1\User1
DOM2\User2
是两个用户。
我想将 User1 和 User2 放在一个组中,该组对两个用户都可见并且可以包含它们。
我目前可以看到的唯一方法如下(其中 {} 表示组的成员,DL=Domain Local 和 GLO=GlobalGroup。)
使两个全局组在每个域中各一个:
DOM1\GLOGroup1 : {DOM1\User1}
DOM2\GLOGroup1 : {DOM2\User2}
以及两个包含两个全局组:
DOM1\DLGroup1 : {DOM1\GLOGroup1, DOM2\GLOGroup1}
DOM2\DLGroup1 : {DOM1\GLOGroup1, DOM2\GLOGroup1}
但这实际上是不可接受的,因为我们实际上有两个以上的域和大约 70 个组需要管理,其中包括组的层次结构,而且我们对其他域中的组的管理没有太多直接控制权。
我们还没有对使用 LDAP 的方法进行任何思考,但从我读到的一点内容来看,我相信通常不建议将其用于此目的?
I have a .NET application distributed through ClickOnce. Security within the application is implemented through the WindowsPrincipal.IsInRole(GroupName) method using a set of groups as resources. This structure works well for us for users within the same domain as the groups. Unfortunately we now have users that need to use the application working on machines and using user accounts in a different domain that is trusted by our domain but is not in the same forest.
It seems that IsInRole() queries the AD ticket on the local machine for group membership. Unfortunately this ticket only contains domain-local groups for the domain of the machine and global and universal groups of other trusted domains, our groups are domain-local groups in the first domain. The catch-22 situation comes from the fact that AD does not allow foreign security principals in either global or universal groups and therefore while it can be queried by the users in the second domain they cannot be members of it (making it a little pointless!)
To explain:
There are two domains: DOM1 and DOM2 with a trust setup between them, but they are not in the same forest.
DOM1\User1
DOM2\User2
are two users.
I would like to put both User1 and User2 in one group that is visible to both users and can contain them both.
The only way I can currently see around it is the following (where {} denotes the members of the groups, DL=Domain Local and GLO=GlobalGroup.)
Make two global groups one in each domain:
DOM1\GLOGroup1 : {DOM1\User1}
DOM2\GLOGroup1 : {DOM2\User2}
and two domain-local groups containing the two global groups:
DOM1\DLGroup1 : {DOM1\GLOGroup1, DOM2\GLOGroup1}
DOM2\DLGroup1 : {DOM1\GLOGroup1, DOM2\GLOGroup1}
But this isn't really acceptable as we actually have more than two domains and about 70 groups to administer including a hierarchy of groups and we don't have much direct control over the administration of groups in the other domains.
We haven't yet worked through any thinking on an approach using LDAP but from the little that I've read I believe it's not generally recommended for this purpose?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以尝试使用 LDAP,但您必须知道要查询哪个 LDAP 服务器; 有关示例代码,请参阅此答案
you might try using LDAP instead, but you'll have to know which LDAP server to query; see this answer for sample code
难道不应该是一个通用组来允许来自多个受信任域的用户吗?
您用来检查广告的用户帐户还需要能够读取每个广告组。
毛罗
shouldnt it be a universal group to allow users from multiple trusted domains?
The user account you are checking the AD with also needs to be able to read each of the ad group ou's.
Mauro
文档指出(对于字符串重载):
但它没有说明 SecurityIdentifier 重载。 所以可能它会起作用(尚未测试)。 您可以使用 wmi 获取 sid。 找不到例子。
The documentation states ( for the string overload):
But it does not state that for the SecurityIdentifier overload. So probably it will work (have not tested it). You can get the sid with wmi. Examples are not to be found.