首页 > 其他分享 >基于Active Directory的用户验证

基于Active Directory的用户验证

时间:2022-10-12 22:08:06浏览次数:73  
标签:UserName ACCOUNT Password return 验证 userAccountControl Directory Active UF

由于需要使用MS的AD用户验证的功能,使AD用户认证成为公司的唯一用户认证的系统,因此,最后一直在找AD用户验证的资料,还好, 找到了如下的资料,非常不错,值得一看!!!

  当然,还找到了更好的资源:

   通过C#写的一个AD管理的类:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

 

1. 基于AD的用户验证

 

public static bool IsUserValid (string UserName, string Password)

{

using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))

{

try

{

// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.

// Since this call forces authentication, you will get an error if the user does not exist.

// If the user is a valid user in the domain, the call will succeed.

Object native = deUser.NativeObject;



return true;

}

catch

{

return false;

}

}

}

根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户)

2. 验证用户账号Active/Disable

/// <summary>

/// This will perfrom a logical operation on the userAccountControl values

/// to see if the user account is enabled or disabled. The flag for determining if the

/// account is active is a bitwise value (decimal =2)

/// </summary>

/// <param name='userAccountControl'></param>

/// <returns></returns>

public static bool IsAccountActive(int userAccountControl)

{

int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);

int flagExists = userAccountControl & userAccountControl_Disabled;

//if a match is found, then the disabled flag exists within the control flags

if(flagExists >0)

{

return false;

}

else

{

return true;

}

}

3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法

/// <summary>

/// This method will not actually log a user in, but will perform tests to ensure

/// that the user account exists (matched by both the username and password), and also

/// checks if the account is active.

/// </summary>

/// <param name='UserName'></param>

/// <param name='Password'></param>

/// <returns></returns>

public static ADHelper.LoginResult Login(string UserName, string Password)

{

//first, check if the logon exists based on the username and password

//DirectoryEntry de = GetUser(UserName,Password);



if(IsUserValid(UserName,Password))

{

DirectoryEntry de = GetUser(UserName);

if(de !=null)

{

//convert the accountControl value so that a logical operation can be performed

//to check of the Disabled option exists.

int userAccountControl = Convert.ToInt32(de.Properties['userAccountControl'][0]);

de.Close();



//if the disabled item does not exist then the account is active

if(!IsAccountActive(userAccountControl))

{

return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;

}

else

{

return LoginResult.LOGIN_OK;

}



}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

4. 相关enum数据类型:ADAccountOptions和LoginResult

#region Enumerations

public enum ADAccountOptions

{

UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,

UF_NORMAL_ACCOUNT =0x0200,

UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,

UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,

UF_SERVER_TRUST_ACCOUNT =0x2000,

UF_DONT_EXPIRE_PASSWD=0x10000,

UF_SCRIPT =0x0001,

UF_ACCOUNTDISABLE=0x0002,

UF_HOMEDIR_REQUIRED =0x0008,

UF_LOCKOUT=0x0010,

UF_PASSWD_NOTREQD=0x0020,

UF_PASSWD_CANT_CHANGE=0x0040,

UF_ACCOUNT_LOCKOUT=0X0010,

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,

}





public enum LoginResult

{

LOGIN_OK=0,

LOGIN_USER_DOESNT_EXIST,

LOGIN_USER_ACCOUNT_INACTIVE

}



#endregion

 

具体用户界面User Interface,请参考如下Reference 1

​http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp​

 


标签:UserName,ACCOUNT,Password,return,验证,userAccountControl,Directory,Active,UF
From: https://blog.51cto.com/amadeus/5751644

相关文章