远程验证用户的凭据
我目前使用 LogonUser() 在办公室的本地域上验证用户的用户名和密码,它非常适合我需要它做的事情。
自从我开发了该应用程序以来,我现在需要让它通过我的 VPN 运行。看来 LogonUser() 不适用于远程验证凭据。或者会吗?是否可以使用 LogonUser() 验证远程域帐户上的用户凭据?
我在某些地方读到,使用 LOGON32_LOGON_NEW_CREDENTIALS 作为第四个参数(登录类型),使用 LOGON32_PROVIDER_WINNT50 作为第五个参数(提供程序)可以解决问题。但每次我尝试时,我总是会成功...我可以提供一个 bogas 用户并通过,它每次都会工作:(。
想法?
编辑 - 添加注释
尝试使用此功能,但我不断收到异常告诉我用户/密码很糟糕
public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirectoryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"];
}
catch
{
return false;
}
return true;
}
-- 编辑 - 添加更多注释
好的,所以我尝试了另一个示例,只是为了让它工作并开始沿着这条路径走下去,有一些事情需要注意...
- MyServerHostName 正是我的服务器的主机名。例如:“服务器01”。
- 在本示例中,我的域名是“MyDomain.local”,
- 因此这使得我的 FQN 为服务器“Server01.MyDomain.local”,
我尝试完成此操作并收到以下错误...
提供的上下文类型与所联系的服务器不匹配。服务器类型是域。
出现错误: var context = new PrimaryContext(ContextType.ApplicationDirectory, "MyServerHostName:389", "DC=MyDomain,DC=local"))
private bool CheckADCredentials()
{
bool bResults;
using (var context = new PrincipalContext(ContextType.ApplicationDirectory,
"MyServerHostName:389",
"DC=MyDomain,DC=local"))
{
var username = "firstname.lastname";
var email = "firstname.lastname@MyServerHostName";
var password = "123456";
var user = new UserPrincipal(context)
{
Name = username,
EmailAddress = email
};
user.SetPassword(password);
user.Save();
if (context.ValidateCredentials(username, password, ContextOptions.SimpleBind))
{
bResults = true;
}
else
{
bResults = false;
}
user.Dispose();
}
return bResults;
}
I currently use LogonUser() to authenticate my user's username and password on my local domain at the office and it works great for what i need it to do.
Since I developed the app I now need to make it work over my VPN. It seems LogonUser() will not work with REMOTELY validating credentials. Or will it? Is it possible to use LogonUser() to validate a user's credentials on a REMOTE domain account?
I have read in some places that using LOGON32_LOGON_NEW_CREDENTIALS for the 4th param (login type) and LOGON32_PROVIDER_WINNT50 for the 5th param (provider) would do the trick. But every time I try that I ALWAYS get success... I can supply a bogas user and pass and it will work every time :(.
Ideas?
Edit - Added Notes
Tried to use this function but I kept getting the exception telling me the user/pass was bad.
public bool Win2kCredentialsIsValid(string domain, string username, string password)
{
string adPath = "LDAP://" + domain + "/rootDSE";
DirectoryEntry adRoot = new DirectoryEntry(adPath, domain + "\\" + username, password, AuthenticationTypes.ReadonlyServer);
try
{
object o = adRoot.Properties["defaultNamingContext"];
}
catch
{
return false;
}
return true;
}
--
Edit - Added More Notes
OK so I tried yet another example just to get it to work and started down this path, and there are a few things to note...
- MyServerHostName is exactly that, my server's hostname. EX: 'Server01'.
- My domain name in this example is 'MyDomain.local'
- So that makes my FQN for the server 'Server01.MyDomain.local'
I tried to make this work and got the following error...
The supplied context type does not match the server contacted. The server type is Domain.
This errored out at : var context = new PrincipalContext(ContextType.ApplicationDirectory, "MyServerHostName:389", "DC=MyDomain,DC=local"))
private bool CheckADCredentials()
{
bool bResults;
using (var context = new PrincipalContext(ContextType.ApplicationDirectory,
"MyServerHostName:389",
"DC=MyDomain,DC=local"))
{
var username = "firstname.lastname";
var email = "firstname.lastname@MyServerHostName";
var password = "123456";
var user = new UserPrincipal(context)
{
Name = username,
EmailAddress = email
};
user.SetPassword(password);
user.Save();
if (context.ValidateCredentials(username, password, ContextOptions.SimpleBind))
{
bResults = true;
}
else
{
bResults = false;
}
user.Dispose();
}
return bResults;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我最终采用了不同的解决方案。我没有尝试验证我的 PC 未连接到的域上的用户帐户,而是将我的域凭据缓存在数据库中,并构建了一个加盐 MD5 类型的加密函数,这样对于某人来说这会变得很困难。破解它。 ;)
现在,我只需在远程工作时验证数据库中缓存的凭据...它只要求用户首先登录域,然后用户可以日夜远程使用它。 ;)
谢谢!
I ended up going with a different solution. Instead of trying to validate a user's account on a domain that my PC was not connected to I ended up caching my domain credentials in the database and just built a salted MD5 type encrypt function so it would make it hard .. er.. for someone to crack it. ;)
Now I just validate against cached credentials in the database when working remotely... It just required the user to first login on the domain but then the user can use it remotely day and night. ;)
Thanks!