C# 在自定义应用程序中提供不同类型的身份验证
我正在用 C# 构建一个客户端应用程序,其中包含基于数据库的授权系统。
身份验证是通过如下接口进行抽象的:
public interface IAuthorizationRequest {
bool IsUserValid(string userName, string password);
}
我了解如何使用 C# 来查询 Active Directory,但想知道如何将用户的 Active Directory 帐户关联到我已经提供的数据库身份验证系统。如果用户希望将其身份验证与其 Active Directory 系统集成,而不是使用我的内置身份验证,我该如何提供此功能?
另外,我假设我仍然需要用户数据库来存储首选项和个人资料信息。它们是否是某种唯一的 Active Directory 标识符,我可以使用 C# 检索该标识符以将用户帐户与 Active Directory 帐户绑定?
或多或少将 Active Directory 用户导入应用程序并创建与相应 Active Directory 条目绑定的本地应用程序用户帐户是否被认为是正确的?
我一直在网上寻找这个答案,但问题似乎是我真的不知道如何提出我要问的问题。
注意:我不打算使用 ASP.NET 身份验证提供程序,因为这是一个具有集中式数据库服务器的客户端应用程序。
我一直在研究 WIF(Windows Identity Foundation),但不确定这是否是最好的方法。
提前致谢!
I am building a client side application in C# that contains an authorization system based on a database.
The authentication is abstracted through an interface like:
public interface IAuthorizationRequest {
bool IsUserValid(string userName, string password);
}
I understand how to use C# to query active directory, but was wondering how I would associate the active directory account for a user to the database authentication system I already provide. If a user would like to integrate their authentication with their Active Directory system instead of using my built in authentication how can I provide this?
Also, I assume I'd still need the database of users in order to store preferences and profile information. Is their some sort of unique Active Directory identifier that I can retrieve using C# to tie the user account to the Active Directory account?
Is it considered proper to more or less import the Active Directory users into the application and create local application user accounts tied to the corresponding Active Directory entry?
I have been scouring the web for this answer but the issue seems that I don't really know how to formulate the question that I am asking.
Note: I am not looking to use ASP.NET authentication providers because this is a client side application with a centralized database server.
I have been looking into WIF (Windows Identity Foundation) but wasn't sure if this was the best approach.
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我会将 AD 用户名放入您的用户表中,正如 @Wiktor 所提到的,我会尝试使用依赖注入来选择为给定用户采用哪种身份验证模型(假设用户直接选择要使用的模型,例如单选按钮或下拉菜单)。
I would put the AD user name into your user table, as mentioned by @Wiktor, and I would try using Dependency Injection to choose which authentication model to employ for a given user (assuming the user is directly choosing which model to use, say from radio buttons or dropdown).
WIF 可以帮助您构建 Web 应用程序,但似乎这不是您的选择。
如果我理解正确的话,您正在构建 Windows 应用程序?如果是这样,为什么不坚持使用集成身份验证呢?您的用户不必登录应用程序,因为他们已经通过操作系统的身份验证。您只需使用
WindowsIdentity.GetCurrent().Name请求当前用户的凭据即可。如果无法选择集成身份验证,您仍然可以使用 AD,此链接可以帮助您入门:
http://www.codeproject.com/KB/system/everythingInAD.aspx
最后一件事 - 是的,您必须以某种方式将 AD 属性之一分配给您的用户表,以便每当 AD 用户登录您的应用程序,您可以识别他/她在您的数据库中。可以选择提前导入帐户,或者您可以“即时”创建帐户。但是,如果用户已存在于您的数据库中,并且 AD 集成只是另一种形式的身份验证,您可以要求您的用户使用现有凭据(存储在数据库中)进行登录,询问他们的 AD 身份以及两个身份验证源是否均已成功验证,您可以将AD中的信息合并到用户记录中。
WIF would help you to build web applications but it seems that it is not your choice.
If I understand correctly, you are building a Windows application? If this is so, why don't you stick with integrated authentication? Your users don't have to log into the application as they are already authenticated by the operating system. You can just ask for the current user's credentials with
WindowsIdentity.GetCurrent().Name.If integrated authentication is not an option, you still can work with the AD, this link could get you started:
http://www.codeproject.com/KB/system/everythingInAD.aspx
And the last thing - yes, you have to somehow assign one of the AD attributes to your user table so that whenever the AD user logs into your application, you can identify him/her in your database. Importing accounts in advance could be an option or you can create accounts "on the fly". If however, users are already present in your database and the AD integration is just another form of authentication, you can ask your users to log using existing credentials (stored in your database), ask for their AD identity and if both authentication sources validate succesfully, you can merge the information from the AD into the user record.