使用用戶憑證和角色進行活動目錄認證

Question

剛接觸Active Directory認證和asp.net。我想通過以下過濾器實現活動目錄認證： a。用戶將使用他的系統憑證登錄。 b。如果應該報告密碼/名稱不匹配，則需要使用AD驗證用戶名和密碼。 c。需要從服務器獲取用戶角色，以便我可以在我的應用程序中實現頁面訪問權限。 d。我想驗證3種類型的用戶1.管理員，2.非管理員和3.未註冊的用戶。所以基於角色我可以配置頁面訪問權限。

Answer 1

我發現簡單的解決方案，可以輕鬆地用於用戶角色的AD身份驗證。爲此，我們基本上需要以下輸入： 1. LDAPServerAddress 2.組名稱：admin，用戶或其他組。 獲得以上信息後，使用以下代碼創建一個通用庫項目並導入到您的項目中。 第一步：在VS中創建庫項目。 第二步：創建AD對象類，如下：

public class ActiveDirectoryInfo 
    { 
     public string UserName { get; set; } 
     public bool IsAuthentic { get; set; } 
     public string UserDisplayName { get; set; } 
     public string Password { get; set; } 
     public string LdapServerName { get; set; } 
     public string AdminGroupName { get; set; } 
     public string UserGroupName { get; set; } 
     public enum Role { Administrator, User, ReadOnly }; 
     public Role Authorization { get; set; } 
    } 

步驟3：用上述目的和值檢查AD使用以下代碼：

public class ActiveDirectoryHelper 
{ 
    /// <summary> 
    /// Private variable for Principal Context 
    /// </summary> 
    private PrincipalContext context = null; 

    /// <summary> 
    /// Public property for Principal Context 
    /// </summary> 
    public PrincipalContext Context 
    { 
     get { return context; } 
     set { context = value; } 
    } 

    public ActiveDirectoryInfo adInfo = null; 
    /// <summary> 
    /// Constructor 
    /// </summary> 
    public ActiveDirectoryHelper(ActiveDirectoryInfo adInfo) 
    { 
     context = new PrincipalContext(ContextType.Domain, adInfo.LdapServerName + ":636", null, ContextOptions.SecureSocketLayer | ContextOptions.Negotiate); //'636 is the port used Secure connection' 
    } 

    /// <summary> 
    /// To Check if the user is Authentic in Active Directory 
    /// </summary> 
    /// <param name="userName">UserName</param> 
    /// <param name="password">Password</param> 
    /// <returns>IsAuthentic</returns> 
    public bool IsAuthenticUser(ActiveDirectoryInfo adInfo) 
    { 

     try 
     { 
      adInfo.IsAuthentic = context.ValidateCredentials(adInfo.UserName, adInfo.Password, ContextOptions.ServerBind); 
     } 

     catch (ArgumentException aex) 
     { 
      LogInfo.LogNLogUnhandledError("Invalid User Name or Password", aex); 
     } 
     catch (Exception ex) 
     { 
      LogInfo.LogNLogUnhandledError("Could not authenticate User", ex); 
     } 
     return adInfo.IsAuthentic; 
    } 

    /// <summary> 
    /// To get the Display UserName from Active Directory 
    /// </summary> 
    /// <param name="userName">UserName</param>  
    /// <returns>UserDisplayName</returns> 
    public string AuthenticUserName(ActiveDirectoryInfo adInfo) 
    { 
     try 
     { 
      UserPrincipal user = new UserPrincipal(context); 
      user.SamAccountName = adInfo.UserName; 
      // perform the search 
      PrincipalSearcher search = new PrincipalSearcher(user); 
      user = (UserPrincipal)search.FindOne(); 
      search.Dispose(); 
      adInfo.UserDisplayName = user.DisplayName; 
     } 

     catch (ArgumentException aex) 
     { 
      LogInfo.LogNLogUnhandledError("Invalid User Name ", aex.InnerException); 
     } 

     catch (Exception ex) 
     { 
      LogInfo.LogNLogUnhandledError("Error in AuthenticateUserName ", ex.InnerException); 
     } 

     return adInfo.UserDisplayName; 
    } 

    /// <summary> 
    /// To Check if the User belongs to a Authorized group in Active Directory 
    /// </summary> 
    /// <param name="userName">UserName</param> 
    /// <param name="password">Password</param> 
    /// <returns>UserRole</returns> 
    public ActiveDirectoryInfo.Role AuthorizedGroup(ActiveDirectoryInfo adInfo) 
    { 

     try 
     { 
      GroupPrincipal adminGroup = GroupPrincipal.FindByIdentity(context, IdentityType.Name, adInfo.AdminGroupName); 
      GroupPrincipal userGroup = GroupPrincipal.FindByIdentity(context, IdentityType.Name, adInfo.UserGroupName); 
      UserPrincipal user = new UserPrincipal(context); 
      user.SamAccountName = adInfo.UserName; 
      PrincipalSearcher search = new PrincipalSearcher(user); 
      user = (UserPrincipal)search.FindOne(); 
      PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups(); 

      // check if user is member of that group 
      if (groups.Contains(adminGroup)) 
      { 
       adInfo.Authorization = ActiveDirectoryInfo.Role.Administrator; 
      } 
      else if (groups.Contains(userGroup)) 
      { 
       adInfo.Authorization = ActiveDirectoryInfo.Role.User; 
      } 
      else 
      { 
       adInfo.Authorization = ActiveDirectoryInfo.Role.ReadOnly; 
      } 
     } 

     catch (System.ComponentModel.InvalidEnumArgumentException ienumarex) 
     { 
      LogInfo.LogNLogUnhandledError("Invalid Group Name", ienumarex.InnerException); 
     } 
     catch (ArgumentException aex) 
     { 
      LogInfo.LogNLogUnhandledError("Invalid User Name or Password", aex.InnerException); 
     } 

     catch (Exception ex) 
     { 
      LogInfo.LogNLogUnhandledError("User Cannot be Authorised", ex.InnerException); 
     } 

     return adInfo.Authorization; 
    } 
}