问题
I do have a web application where i have a login page.How do i authenticate against the active directory users ?
As of now i am able to get some properties from the active directory,which concludes i am able to communicate with AD with LDAP string.I know its not possible to extract password from AD and authenticate against user entered password !!.
Is there a way i can authenticate against the active directory users ?
Here is my code so far
public class Userdetails
{
public static string ADPath = ConfigurationManager.AppSettings.Get(“ADPath”); // Get the ADAM Path from web config fiel
public static string ADUser = ConfigurationManager.AppSettings.Get(“ADUser”); //ADAM Administrator
public static string ADPassword = ConfigurationManager.AppSettings.Get(“ADPassword”); //ADAM Administrator password
public static DirectoryEntry GetUserDetails(string userID)
{
AuthenticationTypes AuthTypes; // Authentication flags.
// Set authentication flags.
// For non-secure connection, use LDAP port and
// ADS_USE_SIGNING |
// ADS_USE_SEALING |
// ADS_SECURE_AUTHENTICATION
// For secure connection, use SSL port and
// ADS_USE_SSL | ADS_SECURE_AUTHENTICATION
AuthTypes = AuthenticationTypes.Signing |
AuthenticationTypes.Sealing |
AuthenticationTypes.Secure;
DirectoryEntry De = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthTypes);
DirectorySearcher Ds = new DirectorySearcher(De);
SearchResult Sr;
Ds.SearchScope = SearchScope.Subtree;
Ds.Filter = “(&(objectclass=*)(cn= ” + userID + “))”;
Sr = Ds.FindOne();
if (!(Sr == null))
{
De = new DirectoryEntry(Sr.Path, ADUser, ADPassword, AuthTypes);
return De;
}
else
{
return null;
}
}
回答1:
If you are going to only authenticate against the AD and do not have to perform other AD-specific operations, why don't you stick with the built-in ActiveDirectoryMembershipProvider instead of writing a custom code?
Please take a look:
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
回答2:
http://msdn.microsoft.com/en-us/library/bb299745.aspx
http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx
http://msdn.microsoft.com/en-us/magazine/cc135979.aspx
public bool Validate(string username, string password)
{
//ex PrincipalContext principalContext = new PrincipalContext(ContextType.ApplicationDirectory,"sea-dc-02.fabrikam.com:50001","ou=ADAM Users,o=microsoft,c=us",ContextOptions.SecureSocketLayer | ContextOptions.SimpleBind,"CN=administrator,OU=ADAM Users,O=Microsoft,C=US","P@55w0rd0987");
try
{
using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container, ContextOptions.Negotiate))
{
return principalContext.ValidateCredentials(username, password);
}
}
catch (PrincipalServerDownException)
{
Debug.WriteLine("PrimaryServer={0};Container={1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
Debug.WriteLine("LDAP://{0}/{1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
throw;
}
回答3:
Creating a new DirectoryEntry with a password and using it with a DirectorySearcher will validate the password and throw a exception if it fails. An important exception to this is empty/null passwords. Most LDAP servers (I think that AD is included) will ignore the password parameter if it is null or empty. So you should test for that first.
Old MSDN sample
来源:https://stackoverflow.com/questions/7955377/authenticate-against-a-user-in-active-directory