开发者

Winform user authorization via active directory

I have a situation where I am using the following code to verify user membership in AD before executing tasks in my app

using System.Security.Principal;
WindowsIdentity  identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
return principal.IsInRole("someGroup");

The above code works fine for machines on my domain, however I do have some machines which are not on my domain on which I have the WINFORM application installed. How can I verify the user membership in AD?

Edit - is ther开发者_如何学运维e a way to prompt the windows login?


Since your computer is not joined to domain at all, we cannot use WindowsIdentity or WindowsPrincipal and then check its IsInRole() method. The IsInRole() method works only if your computer is joined to the domain and it's using your domain machine account to do S4USelf.

You cannot use LogonUser approach too because your computer won't let you create a logon session from an untrusted forest.

I think we can only query the Active Directory directly to get the information we want. The code in your posted Microsoft KB does not work very well as far as I can tell. It's trying to query from memberOf attribute. The group information is not always available from the memberOf attributes.

I just wrote an IsInRole() function using AccountManagement. I guess this is what you want. The IsInRole() function will call a recursive function IsInGroup() to find out all the groups the user belongs to.

private bool IsInRole(string domain, string username, string password, string role)
{
    using (var context = new PrincipalContext(ContextType.Domain, domain, username, password))
    {
        GroupPrincipal group = GroupPrincipal.FindByIdentity(context, IdentityType.SamAccountName, role);
        UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
        return IsInGroup(user, group);
    }
}

private bool IsInGroup(Principal principal, GroupPrincipal group )
{
    if (principal.IsMemberOf(group))
        return true;

    foreach (var g in principal.GetGroups())
    {
        if (IsInGroup(g, group))
            return true;
    }

    return false;
}

To use this IsInRole() function, you need to provide your domain name and domain credentials. If the username and password provided are wrong, you will get an exception.

You need .NET 3.5 SP1 to use AccountManagement API. Also, you may like to pay attention to this hotfix. The AccountManagement API got some bugs if running in some environment. You may need to apply the hotfix.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜