問題描述
我有兩個 Active Directory 域,A 和 B.域 A 中的用戶需要在他們的桌面上運行應(yīng)用程序來查看和操作位于域 B 中服務(wù)器上的資源.每個用戶在域 B 中也有一個帳戶.是否可以模擬每個用戶的域 B 身份以編程方式對域 B 資源執(zhí)行操作?
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
示例工作流程:
- 用戶登錄到域 A.
- 用戶啟動桌面應(yīng)用程序.
- 用戶指定域 B 中的資源.
- 應(yīng)用程序提示用戶輸入域 B 憑據(jù).
- 應(yīng)用程序模仿用戶的域 B 身份來訪問指定的資源.
- 用戶使用應(yīng)用程序操作域 B 資源.
推薦答案
我將談?wù)?Win32 API,但我很確定您可以從 .NET 調(diào)用這些 API.檢查 http://pinvoke.net.
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
您需要調(diào)用 LogonUser API 來創(chuàng)建代表用戶域 B 憑據(jù)的訪問令牌.
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
然后您調(diào)用 ImpersonateLoggedOnUser,傳入該訪問令牌.調(diào)用線程將模擬域 B 憑據(jù),直到您模擬一組不同的憑據(jù)或調(diào)用 RevertToSelf API.
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
我想不用說,為了使 LogonUser 調(diào)用成功,您運行的機器需要信任域 B.
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
這篇關(guān)于我可以在 .NET 中模擬不同 Active Directory 域上的用戶嗎?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!