在全局目录中验证用户身份
我需要在给定用户 ID、域和密码的情况下验证用户的 Windows 凭据。我们的 Active Directory 包含多个域,我们可以使用以下代码列出其中一些域:
var domains = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest().Domains;
但是,我们也有属于林外部域的用户。不过,我可以从全局目录 (GC) 访问它们。下面的代码允许我获取用户 ID 的目录条目。
System.DirectoryServices.DirectoryEntry globalCatalogDE = new System.DirectoryServices.DirectoryEntry("GC://DC=nsroot,DC=net");
var ds = new System.DirectoryServices.DirectorySearcher(globalCatalogDE);
ds.Filter = "(&(objectClass=user)(sAMAccountName=" + userId + "))";
System.DirectoryServices.DirectoryEntry userDE = ds.FindAll()[0].GetDirectoryEntry();
如何对属于我无法直接访问但可以在 GC 中使用的域的用户进行身份验证?
I need to authenticate user's Windows credentials, given a userId, domain and password. Our Active Directory contains multiple domains, some which we can list using the following code:
var domains = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest().Domains;
However, we also have users that belong to domains outside the forest. They are however accessible to me from the Global Catalog (GC). Below code allows me to get a directory entry for a userid.
System.DirectoryServices.DirectoryEntry globalCatalogDE = new System.DirectoryServices.DirectoryEntry("GC://DC=nsroot,DC=net");
var ds = new System.DirectoryServices.DirectorySearcher(globalCatalogDE);
ds.Filter = "(&(objectClass=user)(sAMAccountName=" + userId + "))";
System.DirectoryServices.DirectoryEntry userDE = ds.FindAll()[0].GetDirectoryEntry();
How do I authenticate a user that belongs to a domain I can not directly access but is available to me in the GC?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您无法通过查看全局目录来验证用户身份,它仅用于搜索(每个域的架构中用
isMemberOfPartialAttributeSet
标记的任何属性都会复制到 GC)。密码不会复制到其中;否则,您将在每个域控制器上拥有整个 forrest 中所有用户的密码,从安全和复制的角度来看,这将非常糟糕。您需要建立与存储用户凭据的域的连接(即您需要访问 LDAP 端口 389 或 636)。
You can't authenticate a user by looking in the Global Catalog, it's for searching only (any attribute marked with the
isMemberOfPartialAttributeSet
in the schema for each domain is replicated to the GC).Passwords are not replicated to it; otherwise you would have the passwords of all users in the entire forrest on each domain controller which would be very bad from a security and replication standpoint. You need to establish a connection to the domain where the user's credentials are stored (ie you need access to LDAP ports 389 or 636).