如何使用 LDAPS 知道当前 windows 用户是否在 AD 组中
[英]How to know if the current windows user is in a AD group by using LDAPS
问题描述
In order to secure my c# winform application, I need to know if the user who is currently logged in (windows 10) belongs to a group within the Active Directory The following code is working but I think it relies on LDAP and I need to do it through LDAPS
为了保护我的 c# winform 应用程序,我需要知道当前登录的用户 (windows 10) 是否属于 Active Directory 中的一个组以下代码有效,但我认为它依赖于 LDAP,我需要做通过 LDAPS
WindowsIdentity CurrentIdentity = WindowsIdentity.GetCurrent(); WindowsIdentity CurrentIdentity = WindowsIdentity.GetCurrent(); System.Security.Principal.WindowsPrincipal MyPrincipal = new System.Security.Principal.WindowsPrincipal(CurrentIdentity); System.Security.Principal.WindowsPrincipal MyPrincipal = new System.Security.Principal.WindowsPrincipal(CurrentIdentity); return MyPrincipal.IsInRole("TESTGROUP");返回 MyPrincipal.IsInRole("测试组");
How can I achieve this without forcing the user to re-enter login/password within the application whereas he has already logged in windows?在用户已经登录 windows 的情况下,如何在不强制用户在应用程序中重新输入登录名/密码的情况下实现这一点? Is it possible?是否可以?
Thanx in advance提前致谢
1 个解决方案
解决方案1
0 2023-01-06 15:38:50
How can I achieve this without forcing the user to re-enter login/password within the application whereas he has already logged in windows?
Find an LDAP client library that supports either GSSAPI or GSS-SPNEGO authentication via SSPI (the Windows GSSAPI library).查找支持通过 SSPI 进行 GSSAPI 或 GSS-SPNEGO 身份验证的 LDAP 客户端库(Windows GSSAPI 库)。
In order to secure my c# winform application, I need to know if the user who is currently logged in (windows 10) belongs to a group within the Active Directory The following code is working but I think it relies on LDAP and I need to do it through LDAPS
If it does, then it relies on Kerberos-protected LDAP. You probably don't need LDAPS on top of that.如果是,则它依赖于受 Kerberos 保护的LDAP。除此之外,您可能不需要 LDAPS。 Active Directory LDAP and RPC communications are already secured in this way – they don't just use Kerberos for authentication, but for transport encryption as well (each Kerberos ticket carries an AES session key), and the nature of Kerberos ensures the server's identity in the same way as a TLS certificate would. Active Directory LDAP 和 RPC 通信已经通过这种方式得到保护——它们不仅使用 Kerberos 进行身份验证,还用于传输加密(每个 Kerberos 票据都带有一个 AES session 密钥),并且 Kerberos 的性质确保了服务器的身份与 TLS 证书的方式相同。
(Although it seems that the function actually uses not LDAP but.NETLOGON Secure Channel – the same one that Windows uses to retrieve the user's information during OS login.) (虽然看起来 function 实际上使用的不是 LDAP,而是 .NETLOGON 安全通道——与 Windows 在操作系统登录期间用来检索用户信息的通道相同。)
However, a client-side group check doesn't really secure the app itself.但是,客户端组检查并不能真正保护应用程序本身。 If you are worried about someone who's capable of faking the LDAP traffic – your C# WinForms application will be trivial to decompile and to remove any client-side restrictions (and to steal any embedded credentials that the app might use).如果您担心有人能够伪造 LDAP 流量 – 您的 C# WinForms 应用程序将很容易反编译并删除任何客户端限制(并窃取应用程序可能使用的任何嵌入式凭据)。 The only real security comes from server-side checks (eg restricting database access via server-side ACLs).唯一真正的安全来自服务器端检查(例如,通过服务器端 ACL 限制数据库访问)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.