[英]How can I authenticate a user that does not belong to Domain Users in dotnetcore?
For security and management reasons, we are creating user entries in a separate container, adding them to a separate group, making that group primary, and then removing them from the Domain Users group.出于安全和管理原因,我们在单独的容器中创建用户条目,将它们添加到单独的组,使该组成为主要组,然后将它们从域用户组中删除。 I have these steps all working, but now I can't find a way to authenticate them.
我有这些步骤都可以工作,但现在我找不到验证它们的方法。 I don't know if it's the classes I'm using or my arguments, or what.
我不知道是我正在使用的课程还是我的论点,还是什么。
Assuming:假设:
AD_server = fully.qualified.domain
container = OU=My Users,OU=Accounts,DC=fully,DC=qualified,DC=domain
group = CN=App Users,OU=Software,DC=fully,DC=qualified,DC=domain
user = CN=Example,OU=Software,DC=fully,DC=qualified,DC=domain
sAMAccountName = Example
userPrincipalName = Example@MyUsers.fully.qualified.domain
I've tried我试过了
new LdapConnection(
new LdapDirectoryIdentifier(AD_server)
).Bind(
new NetworkCredential(userPrincipalName,password)
)
new LdapConnection(
new LdapDirectoryIdentifier(AD_server)
).Bind(
new NetworkCredential(sAMAccountName,password)
)
new DirectoryEntry(
"LDAP://"+AD_server+"/"+container,
sAMAccountName,
password
)
new DirectoryEntry(
"LDAP://"+AD_server+"/"+container,
userPrincipalName ,
password
)
new DirectoryEntry(
"LDAP://"+AD_server+"/"+group,
sAMAccountName,
password
)
new DirectoryEntry(
"LDAP://"+AD_server+"/"+group,
userPrincipalName ,
password
)
new DirectoryEntry(
"LDAP://"+AD_server+"/"+group,
user,
password
)
I've also tried using the PrincipalContext.ValidateCredentials() method without success.我也试过使用 PrincipalContext.ValidateCredentials() 方法但没有成功。
During creation:创建过程中:
this.principalContext = new PrincipalContext(ContextType.Domain,
AD_server, // serves as domain and AD server
container,
adminUser,
adminPassword);
The admin credentials have permissions to make changes to the domain.管理员凭据有权更改域。 To create a user (starts with a transfer object):
创建用户(从传输对象开始):
UserPrincipal userPrincipal =
UserPrincipal.FindByIdentity(principalContext, user.UserId + upnSuffix);
if (null == userPrincipal)
{
userPrincipal = new UserPrincipal(principalContext)
{
SamAccountName = user.UserId,
DisplayName = user.FullName,
GivenName = user.FirstName,
Surname = user.LastName,
EmailAddress = user.Email,
UserPrincipalName = user.UserId + upnSuffix,
PasswordNeverExpires = true
};
//create user
userPrincipal.Save();
}
return userPrincipal;
Set password: userPrincipal.SetPassword(password);
设置密码:
userPrincipal.SetPassword(password);
If you want to make extra sure that your authentication code is not the problem (I suspect it's not), you can try authenticating directly in Windows - either log into Windows with that account, or use runas
at the command line:如果您想进一步确保您的身份验证代码不是问题(我怀疑不是),您可以尝试直接在 Windows 中进行身份验证 - 使用该帐户登录 Windows,或在命令行中使用
runas
:
runas /user:DOMAIN\username cmd
I suspect you'll have the same problem, which would mean there is an issue with the way the account is being created.我怀疑您会遇到同样的问题,这意味着创建帐户的方式存在问题。 I haven't created accounts with
UserPrincipal
(I have with DirectoryEntry
), but I noticed a difference between what you're doing (creating the account and then setting the password) and other examples online.我没有使用
UserPrincipal
创建帐户(我使用DirectoryEntry
创建了帐户),但我注意到您所做的(创建帐户然后设置密码)与其他在线示例之间存在差异。 You can try either:您可以尝试:
userPrincipal.SetPassword(password)
to before userPrincipal.Save()
, oruserPrincipal.SetPassword(password)
移到userPrincipal.Save()
之前,或userPrincipal = new UserPrincipal(principalContext, user.UserId, password, true)
{
DisplayName = user.FullName,
GivenName = user.FirstName,
Surname = user.LastName,
EmailAddress = user.Email,
UserPrincipalName = user.UserId + upnSuffix,
PasswordNeverExpires = true
};
//create user
userPrincipal.Save();
See if that makes any difference.看看这是否有什么不同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.