堆栈内存溢出
  简体   繁体   English

如何在 dotnetcore 中对不属于域用户的用户进行身份验证?

[英]How can I authenticate a user that does not belong to Domain Users in dotnetcore?

 原文  2020-03-05 19:59:38       c#/ active-directory/ ldap

问题描述

For security and management reasons, we are creating user entries in a separate container, adding them to a separate group, making that group primary, and then removing them from the Domain Users group.出于安全和管理原因,我们在单独的容器中创建用户条目,将它们添加到单独的组,使该组成为主要组,然后将它们从域用户组中删除。 I have these steps all working, but now I can't find a way to authenticate them.我有这些步骤都可以工作,但现在我找不到验证它们的方法。 I don't know if it's the classes I'm using or my arguments, or what.我不知道是我正在使用的课程还是我的论点,还是什么。

Assuming:假设:

AD_server = fully.qualified.domain
container = OU=My Users,OU=Accounts,DC=fully,DC=qualified,DC=domain
group = CN=App Users,OU=Software,DC=fully,DC=qualified,DC=domain
user = CN=Example,OU=Software,DC=fully,DC=qualified,DC=domain
sAMAccountName = Example
userPrincipalName = Example@MyUsers.fully.qualified.domain

I've tried我试过了

new LdapConnection(
  new LdapDirectoryIdentifier(AD_server)
).Bind(
  new NetworkCredential(userPrincipalName,password)
)

new LdapConnection(
  new LdapDirectoryIdentifier(AD_server)
).Bind(
  new NetworkCredential(sAMAccountName,password)
)

new DirectoryEntry(
  "LDAP://"+AD_server+"/"+container,
  sAMAccountName,
  password
)

new DirectoryEntry(
  "LDAP://"+AD_server+"/"+container,
  userPrincipalName ,
  password
)

new DirectoryEntry(
  "LDAP://"+AD_server+"/"+group,
  sAMAccountName,
  password
)

new DirectoryEntry(
  "LDAP://"+AD_server+"/"+group,
  userPrincipalName ,
  password
)

new DirectoryEntry(
  "LDAP://"+AD_server+"/"+group,
  user,
  password
)

I've also tried using the PrincipalContext.ValidateCredentials() method without success.我也试过使用 PrincipalContext.ValidateCredentials() 方法但没有成功。

During creation:创建过程中:

this.principalContext = new PrincipalContext(ContextType.Domain,
  AD_server, // serves as domain and AD server
  container,
  adminUser,
  adminPassword);

The admin credentials have permissions to make changes to the domain.管理员凭据有权更改域。 To create a user (starts with a transfer object):创建用户(从传输对象开始):

UserPrincipal userPrincipal =
    UserPrincipal.FindByIdentity(principalContext, user.UserId + upnSuffix);
if (null == userPrincipal)
{
    userPrincipal = new UserPrincipal(principalContext)
    {
        SamAccountName = user.UserId,
        DisplayName = user.FullName,
        GivenName = user.FirstName,
        Surname = user.LastName,
        EmailAddress = user.Email,
        UserPrincipalName = user.UserId + upnSuffix,
        PasswordNeverExpires = true
    };
    //create user
    userPrincipal.Save();
}
return userPrincipal;

Set password: userPrincipal.SetPassword(password);设置密码: userPrincipal.SetPassword(password);

1 个解决方案

解决方案1
 1 已采纳  2020-03-06 13:19:02

If you want to make extra sure that your authentication code is not the problem (I suspect it's not), you can try authenticating directly in Windows - either log into Windows with that account, or use runas at the command line:如果您想进一步确保您的身份验证代码不是问题(我怀疑不是),您可以尝试直接在 Windows 中进行身份验证 - 使用该帐户登录 Windows,或在命令行中使用runas

runas /user:DOMAIN\username cmd

I suspect you'll have the same problem, which would mean there is an issue with the way the account is being created.我怀疑您会遇到同样的问题,这意味着创建帐户的方式存在问题。 I haven't created accounts with UserPrincipal (I have with DirectoryEntry ), but I noticed a difference between what you're doing (creating the account and then setting the password) and other examples online.我没有使用UserPrincipal创建帐户(我使用DirectoryEntry创建了帐户),但我注意到您所做的(创建帐户然后设置密码)与其他在线示例之间存在差异。 You can try either:您可以尝试:

  1. Move userPrincipal.SetPassword(password) to before userPrincipal.Save() , oruserPrincipal.SetPassword(password)移到userPrincipal.Save()之前,或
  2. Use the constructor that accepts the password so that it sets the password while creating the account:使用接受密码构造函数,以便在创建帐户时设置密码:
userPrincipal = new UserPrincipal(principalContext, user.UserId, password, true)
{
    DisplayName = user.FullName,
    GivenName = user.FirstName,
    Surname = user.LastName,
    EmailAddress = user.Email,
    UserPrincipalName = user.UserId + upnSuffix,
    PasswordNeverExpires = true
};
//create user
userPrincipal.Save();

See if that makes any difference.看看这是否有什么不同。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何验证域? - How can I authenticate to a domain? 如何认证用户? - How can I authenticate a user? 如何验证SharePoint用户凭据 - How can I authenticate SharePoint user credentials 如何验证用户到他们自己的谷歌驱动器帐户? - How can I authenticate users to their own google drive account? 如何注册将验证域用户的 HttpClient - How to register HttpClient that will authenticate domain user 如何使用来自WebAPI的域的用户对WebAPI上不同计算机上的客户端进行身份验证? - how can authenticate a client on a different machine on a WebAPI with a user from WebAPI's domain? 无法验证来自域\\用户组的用户 - Unable to Authenticate Users From Domain\Users Group 如何创建不属于任何组的本地用户帐户? - How to create a local user account that does not belong to any group? 如何在ASP.NET MVC身份验证中创建和验证用户? - How can I create and authenticate users in asp.net mvc authentication? 如何创建用于身份验证的 Windows 服务,自定义 Web 应用程序可使用该服务对 AD 用户进行身份验证? - How do I create a windows service for authentication that custom web applications can use to authenticate AD users?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM