问题
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
Example Workflow:
- User logs in to domain A.
- User launches desktop application.
- User specifies resource in domain B.
- Application prompts user for domain B credentials.
- Application impersonates user's domain B identity to access specified resource.
- User manipulates domain B resource using application.
回答1:
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
回答2:
If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.
回答3:
Check out this question, which covers the impersonation issues you need.
来源:https://stackoverflow.com/questions/997001/can-i-impersonate-a-user-on-a-different-active-directory-domain-in-net