如果帐户是“ AD保护的用户”组的成员,如何验证用户凭据?
[英]How to validate user credentials if account is a member of AD Protected Users group?
问题描述
In my C# application I need to check/validate user name and password in an Active Directory environment. 
在我的C#应用程序中,我需要在Active Directory环境中检查/验证用户名和密码。 There is a Domain Controller on Windows Server 2012 R2 or higher. Windows Server 2012 R2或更高版本上有一个域控制器。
Some users are added to AD Protected Users group. 一些用户被添加到“ AD 保护的用户”组中。 API that is currently used does not work for such users. 当前使用的API不适用于此类用户。
For now, the only thing that seems to work is LogonUser function. 目前,似乎唯一起作用的是LogonUser函数。 But it requires P/invoke. 但这需要P /调用。
Is there a trick, a workaround or other API that I can use to validate user name and password for user account that is a member of the AD Protected Users group? 是否可以使用技巧,解决方法或其他API来验证属于AD Protected Users组成员的用户帐户的用户名和密码?
I tried the following APIs with different options: 我尝试了以下具有不同选项的API:
- DirectoryEntry.NativeObject. DirectoryEntry.NativeObject。
- PrincipalContext.ValidateCredentials with different ContextOptions. 具有不同ContextOptions的PrincipalContext.ValidateCredentials。
var de = new DirectoryEntry("LDAP://DomainController.lab", "test-user",
"Test-user-password", AuthenticationTypes.Secure);
var bo = de.NativeObject;
var context = new PrincipalContext(ContextType.Domain, "domain");
var res = context.ValidateCredentials("test-user", "test-user-password",
ContextOptions.Negotiate);
DirectoryEntry.NativeObject throws DirectoryServicesCOMException (0x8007052E) "The user name or password is incorrect". DirectoryEntry.NativeObject引发DirectoryServicesCOMException (0x8007052E)“用户名或密码不正确”。
PrincipalContext.ValidateCredentials simply returns FALSE. PrincipalContext.ValidateCredentials仅返回FALSE。
1 个解决方案
解决方案1
0 2019-09-09 13:01:58
You didn't say what kind of application this is. 您没有说这是什么样的应用程序。 If it's a web application, you're better off using Windows Authentication and let Windows handle all of this. 如果是Web应用程序,最好使用Windows身份验证,并让Windows处理所有这些。
If it's not a web app, then it'll be more tricky. 如果不是Web应用程序,则将更加棘手。 The important part of the documentation for Protected Users is this: 受保护用户文档的重要部分是:
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
Authenticate with NTLM authentication.
Use DES or RC4 encryption types in Kerberos pre-authentication.
The documentation for AuthenticationTypes.Secure says: AuthenticationTypes.Secure的文档说:
Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client.
That "possibly NTLM" is a problem. 那“可能是NTLM”是个问题。 It will attempt Kerberos first, and fail back to NTLM. 它将首先尝试Kerberos,然后故障回复到NTLM。 But NTLM is guaranteed not to work. 但是可以保证NTLM不起作用。
I think you will have to troubleshoot Kerberos, which unfortunately gets complicated fast. 我认为您必须对Kerberos进行故障排除,不幸的是,它很快变得很复杂。
The easiest first step is to confirm that Kerberos is indeed failing by enabling Kerberos event logging (on the machine that you're running this code) by going to the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters and adding a LogLevel DWORD value with a value of 1 . 最简单的第一步是通过转到注册表项HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters并添加注册表项来启用Kerberos事件日志记录(在运行此代码的计算机上),以确认Kerberos确实失败。值为1的LogLevel DWORD值。 All Kerberos errors will now be logged to the System log in Event Viewer. 现在,所有Kerberos错误都将记录到事件查看器中的系统日志中。 See if you see errors there. 看看您是否在这里看到错误。 (set it to 0 to disable it later) (将其设置为0以在以后禁用它)
If so, there are several articles out there that walk you through some form of Kerberos troubleshooting, if you search for them: https://www.google.com/search?q=troubleshoot+kerberos 如果是这样,那么如果您要搜索这些文章,那么这里有几篇文章会引导您完成某种形式的Kerberos故障排除: https : //www.google.com/search?q= troubleshoot+ kerberos
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.