基于Active Directory的用户验证

基于Active Directory的用户验证

===================

由于需要使用MS的AD用户验证的功能，使AD用户认证成为公司的唯一用户认证的系统，因此，最后一直在找AD用户验证的资料，还好， 找到了如下的资料，非常不错，值得一看!!!

当然，还找到了更好的资源：

通过C#写的一个AD管理的类：http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp

1. 基于AD的用户验证

public static bool IsUserValid (string UserName, string Password)

{

using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))

{

try

{

// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.

// Since this call forces authentication, you will get an error if the user does not exist.

// If the user is a valid user in the domain, the call will succeed.

Object native = deUser.NativeObject;

return true;

}

catch

{

return false;

}

}

}

根据UserName/Password验证用户的合法性。需要注意的是：ADSI每次都会尝试Kerberos和NTLM验证，因此系统会记录2次验证记录。在设置Domain Password Policy时，需要考虑到上述的限制。否则，如果Bad Password Count超过限定的Domain Password Policy时，该帐户会Locked out。(注：后面有Article介绍如何判断/如何Lock/Unlock帐户)

2. 验证用户账号Active/Disable

/// <summary>

/// This will perfrom a logical operation on the userAccountControl values

/// to see if the user account is enabled or disabled. The flag for determining if the

/// account is active is a bitwise value (decimal =2)

/// </summary>

/// <param name="userAccountControl"></param>

/// <returns></returns>

public static bool IsAccountActive(int userAccountControl)

{

int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);

int flagExists = userAccountControl & userAccountControl_Disabled;

//if a match is found, then the disabled flag exists within the control flags

if(flagExists >0)

{

return false;

}

else

{

return true;

}

}

3. 示例代码：调用上述IsUserValid()和IsAccountActive()方法

/// <summary>

/// This method will not actually log a user in, but will perform tests to ensure

/// that the user account exists (matched by both the username and password), and also

/// checks if the account is active.

/// </summary>

/// <param name="UserName"></param>

/// <param name="Password"></param>

/// <returns></returns>

public static ADHelper.LoginResult Login(string UserName, string Password)

{

//first, check if the logon exists based on the username and password

//DirectoryEntry de = GetUser(UserName,Password);

if(IsUserValid(UserName,Password))

{

DirectoryEntry de = GetUser(UserName);

if(de !=null)

{

//convert the accountControl value so that a logical operation can be performed

//to check of the Disabled option exists.

int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]);

de.Close();

//if the disabled item does not exist then the account is active

if(!IsAccountActive(userAccountControl))

{

return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;

}

else

{

return LoginResult.LOGIN_OK;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

else

{

return LoginResult.LOGIN_USER_DOESNT_EXIST;

}

}

4. 相关enum数据类型：ADAccountOptions和LoginResult

#region Enumerations

public enum ADAccountOptions

{

UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,

UF_NORMAL_ACCOUNT =0x0200,

UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,

UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,

UF_SERVER_TRUST_ACCOUNT =0x2000,

UF_DONT_EXPIRE_PASSWD=0x10000,

UF_SCRIPT =0x0001,

UF_ACCOUNTDISABLE=0x0002,

UF_HOMEDIR_REQUIRED =0x0008,

UF_LOCKOUT=0x0010,

UF_PASSWD_NOTREQD=0x0020,

UF_PASSWD_CANT_CHANGE=0x0040,

UF_ACCOUNT_LOCKOUT=0X0010,

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,

}

public enum LoginResult

{

LOGIN_OK=0,

LOGIN_USER_DOESNT_EXIST,

LOGIN_USER_ACCOUNT_INACTIVE

}

#endregion

具体用户界面User Interface，请参考如下Reference 1

http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp