问题
I am writing a ClickOnce WPF app that will sometimes be used over VPN. The app uses resources available only to domain authenticated users. Some of the things include accessing SSRS Reports, accessing LDAP to lookup user information, hitting web services, etc.
When a user logs in from a machine that is not authenticated on the domain, I need to somehow get his credentials, authenticate him on the domain, and store his credentials.
- What is the recommended approach for authenticating domain users over VPN?
- How can I securely store the credentials?
I've found several articles but, not much posted recently and a lot of the solutions seem kinda hacky, or aren't very secure (ie - storing strings clear text in memory).
It would be cool if I could use the ActiveDicrtoryMembershipProvider, but that seems to be geared for use in web apps.
EDIT: The above is kind of a workaround. The user must enter their domain credentials to authenticate on the VPN. It would be ideal to access the credentials the user has already entered to login to the VPN instead of the WindowsIdentity.GetCurrent() (which returns the user logged into the computer). Any ideas on how that could work? We use Juniper Networks to connect to the VPN.
Answer I ended up doing basically what was suggested in the link below. When the app starts, I'll detect whether the user is on the domain. If so, I'll use those credentials when calling services. If the user is on the VPN (but not on a domain authenticated machine), I prompt for the user's credentials and authenticate via System.DirectoryServices. If the user gives valid credentials I'll store the domain, user and password in a SecureString. The app then uses that information to create credentials to pass to various services.
Thanks!
回答1:
This answer to the question might help.
--EDIT--
If the client is logging under their AD credentials then WindowsIdentity.GetCurrent() would return a valid WindowsIdentity.
If client is not logged onto the domain then you can provide a pop up that would ask for AD credentials.
Well, just thinking...
来源:https://stackoverflow.com/questions/2730406/domain-authentication-from-net-client-over-vpn