| 订阅 | 在线投稿
分享
 
 
 

基于Active Directory的用户验证

来源:互联网  宽屏版  评论
2006-04-20 05:58:15

基于Active Directory的用户验证

===================

由于需要使用MS的AD用户验证的功能,使AD用户认证成为公司的唯一用户认证的系统,因此,最后一直在找AD用户验证的资料,还好, 找到了如下的资料,非常不错,值得一看!!!

当然,还找到了更好的资源:

通过C#写的一个AD管理的类:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

1. 基于AD的用户验证

public static bool IsUserValid (string UserName, string Password)

{

using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))

{

try

{

// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.

// Since this call forces authentication, you will get an error if the user does not exist.

// If the user is a valid user in the domain, the call will succeed.

Object native = deUser.NativeObject;

return true;

}

catch

{

return false;

}

}

}

根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户)

2. 验证用户账号Active/Disable

/// <summary>

/// This will perfrom a logical operation on the userAccountControl values

/// to see if the user account is enabled or disabled. The flag for determining if the

/// account is active is a bitwise value (decimal =2)

/// </summary>

/// <param name="userAccountControl"></param>

/// <returns></returns>

public static bool IsAccountActive(int userAccountControl)

{

int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);

int flagExists = userAccountControl & userAccountControl_Disabled;

//if a match is found, then the disabled flag exists within the control flags

if(flagExists >0)

{

return false;

}

else

{

return true;

}

}

3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法

/// <summary>

/// This method will not actually log a user in, but will perform tests to ensure

/// that the user account exists (matched by both the username and password), and also

/// checks if the account is active.

/// </summary>

/// <param name="UserName"></param>

/// <param name="Password"></param>

/// <returns></returns>

public static ADHelper.LoginResult Login(string UserName, string Password)

{

//first, check if the logon exists based on the username and password

//DirectoryEntry de = GetUser(UserName,Password);

if(IsUserValid(UserName,Password))

{

DirectoryEntry de = GetUser(UserName);

if(de !=null)

{

//convert the accountControl value so that a logical operation can be performed

//to check of the Disabled option exists.

int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]);

de.Close();

//if the disabled item does not exist then the account is active

if(!IsAccountActive(userAccountControl))

{

return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;

}

else

{

return LoginResult.LOGIN_OK;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

4. 相关enum数据类型:ADAccountOptions和LoginResult

#region Enumerations

public enum ADAccountOptions

{

UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,

UF_NORMAL_ACCOUNT =0x0200,

UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,

UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,

UF_SERVER_TRUST_ACCOUNT =0x2000,

UF_DONT_EXPIRE_PASSWD=0x10000,

UF_SCRIPT =0x0001,

UF_ACCOUNTDISABLE=0x0002,

UF_HOMEDIR_REQUIRED =0x0008,

UF_LOCKOUT=0x0010,

UF_PASSWD_NOTREQD=0x0020,

UF_PASSWD_CANT_CHANGE=0x0040,

UF_ACCOUNT_LOCKOUT=0X0010,

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,

}

public enum LoginResult

{

LOGIN_OK=0,

LOGIN_USER_DOESNT_EXIST,

LOGIN_USER_ACCOUNT_INACTIVE

}

#endregion

具体用户界面User Interface,请参考如下Reference 1
http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

基于Active Directory的用户验证 =================== 由于需要使用MS的AD用户验证的功能,使AD用户认证成为公司的唯一用户认证的系统,因此,最后一直在找AD用户验证的资料,还好, 找到了如下的资料,非常不错,值得一看!!! 当然,还找到了更好的资源: 通过C#写的一个AD管理的类:[url=http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp]http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp[/url] 1. 基于AD的用户验证 public static bool IsUserValid (string UserName, string Password) { using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure)) { try { // The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory. // Since this call forces authentication, you will get an error if the user does not exist. // If the user is a valid user in the domain, the call will succeed. Object native = deUser.NativeObject; return true; } catch { return false; } } } 根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户) 2. 验证用户账号Active/Disable /// <summary> /// This will perfrom a logical operation on the userAccountControl values /// to see if the user account is enabled or disabled. The flag for determining if the /// account is active is a bitwise value (decimal =2) /// </summary> /// <param name="userAccountControl"></param> /// <returns></returns> public static bool IsAccountActive(int userAccountControl) { int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE); int flagExists = userAccountControl & userAccountControl_Disabled; //if a match is found, then the disabled flag exists within the control flags if(flagExists >0) { return false; } else { return true; } } 3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法 /// <summary> /// This method will not actually log a user in, but will perform tests to ensure /// that the user account exists (matched by both the username and password), and also /// checks if the account is active. /// </summary> /// <param name="UserName"></param> /// <param name="Password"></param> /// <returns></returns> public static ADHelper.LoginResult Login(string UserName, string Password) { //first, check if the logon exists based on the username and password //DirectoryEntry de = GetUser(UserName,Password); if(IsUserValid(UserName,Password)) { DirectoryEntry de = GetUser(UserName); if(de !=null) { //convert the accountControl value so that a logical operation can be performed //to check of the Disabled option exists. int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]); de.Close(); //if the disabled item does not exist then the account is active if(!IsAccountActive(userAccountControl)) { return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE; } else { return LoginResult.LOGIN_OK; } } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } 4. 相关enum数据类型:ADAccountOptions和LoginResult #region Enumerations public enum ADAccountOptions { UF_TEMP_DUPLICATE_ACCOUNT = 0x0100, UF_NORMAL_ACCOUNT =0x0200, UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800, UF_WORKSTATION_TRUST_ACCOUNT = 0x1000, UF_SERVER_TRUST_ACCOUNT =0x2000, UF_DONT_EXPIRE_PASSWD=0x10000, UF_SCRIPT =0x0001, UF_ACCOUNTDISABLE=0x0002, UF_HOMEDIR_REQUIRED =0x0008, UF_LOCKOUT=0x0010, UF_PASSWD_NOTREQD=0x0020, UF_PASSWD_CANT_CHANGE=0x0040, UF_ACCOUNT_LOCKOUT=0X0010, UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080, } public enum LoginResult { LOGIN_OK=0, LOGIN_USER_DOESNT_EXIST, LOGIN_USER_ACCOUNT_INACTIVE } #endregion 具体用户界面User Interface,请参考如下Reference 1 [url=http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp]http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp[/url]
󰈣󰈤
 
 
 
>>返回首页<<
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
 
静静地坐在废墟上,四周的荒凉一望无际,忽然觉得,凄凉也很美
©2005- 王朝网络 版权所有