[英]PrincipalContext ValidateCredentials fails for some users when used in a Web API
[英]PrincipalContext.ValidateCredentials fails for some users?
我有以下代码:
public void AuthenticateActiveDirectoryAccount(string username, string password)
{
PrincipalContext context;
var envSettings = _settingsService.GetGlobalSetting<EnvironmentSettings>().Props;
string ADServer = envSettings.ActiveDirectory.ServerURI;
string ADUserName = envSettings.ActiveDirectory.Username;
string ADUserPassword = envSettings.ActiveDirectory.Password;
string account = null;
account = username.ToLower();
if (ADUserName.Length > 0)
context = new PrincipalContext(ContextType.Domain, ADServer, ADUserName, ADUserPassword);
else
context = new PrincipalContext(ContextType.Domain, ADServer);
using (context)
{
if (!context.ValidateCredentials(account, password))
{
throw new Exception();
}
}
}
这对大多数用户都很有效,但有些用户会遇到以下异常:
服务器不处理目录请求:System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)\\r\\n vid System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator。 BindLdap(NetworkCredential creds, ContextOptions contextOptions)\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)\\r\\n vid System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
首先,我认为失败的用户没有调用 AD 的权限,但我确定 AdServer、AdUserName 和 AdUserPassword 设置为应该具有访问权限的全局 AD 帐户。
为什么有些用户会收到此异常?
将 ValidateCredentials 更改为此可以解决问题:
context.ValidateCredentials(account, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing)
然而,这可能仍然是 Active Directory 帐户的安全问题。
如果没有域但工作组,它将与
context.ValidateCredentials(account, password, ContextOptions.Negotiate)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.