| 導購 | 订阅 | 在线投稿
分享
 
 
 

基于Active Directory的用戶驗證

來源:互聯網  2006-04-20 05:58:15  評論

基于Active Directory的用戶驗證

===================

由于需要使用MS的AD用戶驗證的功能,使AD用戶認證成爲公司的唯一用戶認證的系統,因此,最後一直在找AD用戶驗證的資料,還好, 找到了如下的資料,非常不錯,值得一看!!!

當然,還找到了更好的資源:

通過C#寫的一個AD管理的類:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

1. 基于AD的用戶驗證

public static bool IsUserValid (string UserName, string Password)

{

using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))

{

try

{

// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.

// Since this call forces authentication, you will get an error if the user does not exist.

// If the user is a valid user in the domain, the call will succeed.

Object native = deUser.NativeObject;

return true;

}

catch

{

return false;

}

}

}

根據UserName/Password驗證用戶的合法性。需要注意的是:ADSI每次都會嘗試Kerberos和NTLM驗證,因此系統會記錄2次驗證記錄。在設置Domain Password Policy時,需要考慮到上述的限制。否則,如果Bad Password Count超過限定的Domain Password Policy時,該帳戶會Locked out。(注:後面有Article介紹如何判斷/如何Lock/Unlock帳戶)

2. 驗證用戶賬號Active/Disable

/// <summary>

/// This will perfrom a logical operation on the userAccountControl values

/// to see if the user account is enabled or disabled. The flag for determining if the

/// account is active is a bitwise value (decimal =2)

/// </summary>

/// <param name="userAccountControl"></param>

/// <returns></returns>

public static bool IsAccountActive(int userAccountControl)

{

int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);

int flagExists = userAccountControl & userAccountControl_Disabled;

//if a match is found, then the disabled flag exists within the control flags

if(flagExists >0)

{

return false;

}

else

{

return true;

}

}

3. 示例代碼:調用上述IsUserValid()和IsAccountActive()方法

/// <summary>

/// This method will not actually log a user in, but will perform tests to ensure

/// that the user account exists (matched by both the username and password), and also

/// checks if the account is active.

/// </summary>

/// <param name="UserName"></param>

/// <param name="Password"></param>

/// <returns></returns>

public static ADHelper.LoginResult Login(string UserName, string Password)

{

//first, check if the logon exists based on the username and password

//DirectoryEntry de = GetUser(UserName,Password);

if(IsUserValid(UserName,Password))

{

DirectoryEntry de = GetUser(UserName);

if(de !=null)

{

//convert the accountControl value so that a logical operation can be performed

//to check of the Disabled option exists.

int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]);

de.Close();

//if the disabled item does not exist then the account is active

if(!IsAccountActive(userAccountControl))

{

return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;

}

else

{

return LoginResult.LOGIN_OK;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

4. 相關enum數據類型:ADAccountOptions和LoginResult

#region Enumerations

public enum ADAccountOptions

{

UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,

UF_NORMAL_ACCOUNT =0x0200,

UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,

UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,

UF_SERVER_TRUST_ACCOUNT =0x2000,

UF_DONT_EXPIRE_PASSWD=0x10000,

UF_SCRIPT =0x0001,

UF_ACCOUNTDISABLE=0x0002,

UF_HOMEDIR_REQUIRED =0x0008,

UF_LOCKOUT=0x0010,

UF_PASSWD_NOTREQD=0x0020,

UF_PASSWD_CANT_CHANGE=0x0040,

UF_ACCOUNT_LOCKOUT=0X0010,

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,

}

public enum LoginResult

{

LOGIN_OK=0,

LOGIN_USER_DOESNT_EXIST,

LOGIN_USER_ACCOUNT_INACTIVE

}

#endregion

具體用戶界面User Interface,請參考如下Reference 1
http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

基于Active Directory的用戶驗證 =================== 由于需要使用MS的AD用戶驗證的功能,使AD用戶認證成爲公司的唯一用戶認證的系統,因此,最後一直在找AD用戶驗證的資料,還好, 找到了如下的資料,非常不錯,值得一看!!! 當然,還找到了更好的資源: 通過C#寫的一個AD管理的類:[url=http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp]http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp[/url] 1. 基于AD的用戶驗證 public static bool IsUserValid (string UserName, string Password) { using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure)) { try { // The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory. // Since this call forces authentication, you will get an error if the user does not exist. // If the user is a valid user in the domain, the call will succeed. Object native = deUser.NativeObject; return true; } catch { return false; } } } 根據UserName/Password驗證用戶的合法性。需要注意的是:ADSI每次都會嘗試Kerberos和NTLM驗證,因此系統會記錄2次驗證記錄。在設置Domain Password Policy時,需要考慮到上述的限制。否則,如果Bad Password Count超過限定的Domain Password Policy時,該帳戶會Locked out。(注:後面有Article介紹如何判斷/如何Lock/Unlock帳戶) 2. 驗證用戶賬號Active/Disable /// <summary> /// This will perfrom a logical operation on the userAccountControl values /// to see if the user account is enabled or disabled. The flag for determining if the /// account is active is a bitwise value (decimal =2) /// </summary> /// <param name="userAccountControl"></param> /// <returns></returns> public static bool IsAccountActive(int userAccountControl) { int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE); int flagExists = userAccountControl & userAccountControl_Disabled; //if a match is found, then the disabled flag exists within the control flags if(flagExists >0) { return false; } else { return true; } } 3. 示例代碼:調用上述IsUserValid()和IsAccountActive()方法 /// <summary> /// This method will not actually log a user in, but will perform tests to ensure /// that the user account exists (matched by both the username and password), and also /// checks if the account is active. /// </summary> /// <param name="UserName"></param> /// <param name="Password"></param> /// <returns></returns> public static ADHelper.LoginResult Login(string UserName, string Password) { //first, check if the logon exists based on the username and password //DirectoryEntry de = GetUser(UserName,Password); if(IsUserValid(UserName,Password)) { DirectoryEntry de = GetUser(UserName); if(de !=null) { //convert the accountControl value so that a logical operation can be performed //to check of the Disabled option exists. int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]); de.Close(); //if the disabled item does not exist then the account is active if(!IsAccountActive(userAccountControl)) { return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE; } else { return LoginResult.LOGIN_OK; } } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } 4. 相關enum數據類型:ADAccountOptions和LoginResult #region Enumerations public enum ADAccountOptions { UF_TEMP_DUPLICATE_ACCOUNT = 0x0100, UF_NORMAL_ACCOUNT =0x0200, UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800, UF_WORKSTATION_TRUST_ACCOUNT = 0x1000, UF_SERVER_TRUST_ACCOUNT =0x2000, UF_DONT_EXPIRE_PASSWD=0x10000, UF_SCRIPT =0x0001, UF_ACCOUNTDISABLE=0x0002, UF_HOMEDIR_REQUIRED =0x0008, UF_LOCKOUT=0x0010, UF_PASSWD_NOTREQD=0x0020, UF_PASSWD_CANT_CHANGE=0x0040, UF_ACCOUNT_LOCKOUT=0X0010, UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080, } public enum LoginResult { LOGIN_OK=0, LOGIN_USER_DOESNT_EXIST, LOGIN_USER_ACCOUNT_INACTIVE } #endregion 具體用戶界面User Interface,請參考如下Reference 1 [url=http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp]http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp[/url]
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 熱帖排行
 
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有