通过 NTLM 模拟用户

发布于 2024-07-29 19:00:59 字数 545 浏览 2 评论 0原文

我有一个内部应用程序，有两个安全级别。用于面向客户端的应用程序的 FormsAuthentication 和用于管理界面的 NTLM 集成身份验证。

我可以通过使用 FormsAuthentication 类的方法创建正确的 .ASPXAUTH cookie 来轻松模拟客户端。然而，到目前为止，为 NTLM 生成 HTTP 身份验证标头超出了我的能力范围。

当我发现这篇文章时，我满怀希望 (http://msdn. microsoft.com/en-us/library/ms998358.aspx#paght000025_usingimpersonation），但后来我意识到它只是创建一个上下文来在请求期间运行代码。我想切换整个会话，使服务器认为我正在使用另一个域登录。我对我的帐户拥有管理权限，因此这不是为了搞砸或窃取域密码。

有可能吗？谢谢。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

无敌元气妹 2024-08-05 19:00:59

假设您有启用表单身份验证的 ASP.NET 应用程序，其中包含登录表单 login.aspx，并且您的用户存储在数据库中。现在您希望同时支持表单和 Windows 身份验证。这就是我所做的：

对于表单身份验证，我使用 SQL DB 和用户表。我向该表添加名为 WindowsUserName 的新列，其中我将以 COMPUTER\User 形式保存 Windows 用户名在

private void ActivateWindowsLogin()
{
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.End();
}

在某处我有一个类似的链接Admin

在login.aspx Page_Load中我添加了：

if (Request.QueryString["use"] == "windows")
{
    var windowsuser = Request.ServerVariables["LOGON_USER"];
    if (windowsuser.Length == 0)
        ActivateWindowsLogin();
    else
    {
        // get userId from DB for Windows user that was authenticated by IIS
        // I use userId in .ASPXAUTH cookie
        var userId = GetUserIdForWindowsUser(windowsuser);
        if (userId > 0) //user found
        {
            // here we get User object to check roles or other stuff
            var user = GetApplicationUser(userId);
            // perform additional checks here and call ActivateWindowsLogin()
            // to show login again or redirect to access denied page.
            // If everythig is OK, set cookie and redirect
            FormsAuthentication.SetAuthCookie(userId.ToString(), false);
            Response.Redirect(FormsAuthentication.GetRedirectUrl(userId.ToString(), false), true);
        }
        else //user not found
            ActivateWindowsLogin();
    }
}
else
{
    //your Forms auth routine
}

GetUserIdForWindowsUser 和 GetApplicationUser 是我的方法，仅供示例。

Let say you have Forms authentication enabled ASP.NET app with login form login.aspx and your users are stored in DB. Now you'd like to support both, Forms and Windows authentication. That's what I do:

For forms auth I use SQL DB with, let say, Users table. I add to this table new column named WindowsUserName in which I'll save Windows user's name in form COMPUTER\User

In login.aspx form I add a method, which will send a response that will shows login window:

private void ActivateWindowsLogin()
{
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.End();
}

Somewhere I have a link like <a href="login.aspx?use=windows">Admin</a>

In login.aspx Page_Load I have added:

if (Request.QueryString["use"] == "windows")
{
    var windowsuser = Request.ServerVariables["LOGON_USER"];
    if (windowsuser.Length == 0)
        ActivateWindowsLogin();
    else
    {
        // get userId from DB for Windows user that was authenticated by IIS
        // I use userId in .ASPXAUTH cookie
        var userId = GetUserIdForWindowsUser(windowsuser);
        if (userId > 0) //user found
        {
            // here we get User object to check roles or other stuff
            var user = GetApplicationUser(userId);
            // perform additional checks here and call ActivateWindowsLogin()
            // to show login again or redirect to access denied page.
            // If everythig is OK, set cookie and redirect
            FormsAuthentication.SetAuthCookie(userId.ToString(), false);
            Response.Redirect(FormsAuthentication.GetRedirectUrl(userId.ToString(), false), true);
        }
        else //user not found
            ActivateWindowsLogin();
    }
}
else
{
    //your Forms auth routine
}

GetUserIdForWindowsUser and GetApplicationUser are my methods just for sample.

回复收藏 0 原文

~没有更多了~