我可以在.NET中模拟其他Active Directory域上的用户吗?

时间:2022-01-06 02:54:25

I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?

我有两个Active Directory域,A和B.域A中的用户需要在其桌面上运行应用程序以查看和操作位于域B中的服务器上的资源。每个用户在域B中也有一个帐户。是否可能模仿每个用户的域B身份以编程方式对域B资源执行操作?

Example Workflow:

  1. User logs in to domain A.
  2. 用户登录域A.

  3. User launches desktop application.
  4. 用户启动桌面应用程序。

  5. User specifies resource in domain B.
  6. 用户指定域B中的资源。

  7. Application prompts user for domain B credentials.
  8. 应用程序提示用户输入域B凭据。

  9. Application impersonates user's domain B identity to access specified resource.
  10. 应用程序模拟用户的域B身份以访问指定的资源。

  11. User manipulates domain B resource using application.
  12. 用户使用应用程序操纵域B资源。

3 个解决方案

#1


I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

我将谈论Win32 API,但我很确定你可以从.NET调用它们。检查http://pinvoke.net。

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

您需要调用LogonUser API来创建表示用户的域B凭据的访问令牌。

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

然后调用ImpersonateLoggedOnUser,传入该访问令牌。调用线程将模拟域B凭据,直到您模拟不同的凭据集或调用RevertToSelf API。

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

我想不用说,为了使LogonUser调用成功,你运行的机器需要信任域B.

#2


If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.

如果您的计算机(进行模拟的计算机)是域的成员,该域不信任您尝试模拟的用户帐户的域,则模拟将失败。任何不这么说的人,我都希望看到证据。

#3


Check out this question, which covers the impersonation issues you need.

查看此问题,其中涵盖了您需要的模拟问题。

#1


I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.

我将谈论Win32 API,但我很确定你可以从.NET调用它们。检查http://pinvoke.net。

You need to call the LogonUser API to create an access token that represents the user's domain B credentials.

您需要调用LogonUser API来创建表示用户的域B凭据的访问令牌。

Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.

然后调用ImpersonateLoggedOnUser,传入该访问令牌。调用线程将模拟域B凭据,直到您模拟不同的凭据集或调用RevertToSelf API。

I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.

我想不用说,为了使LogonUser调用成功,你运行的机器需要信任域B.

#2


If your computer (the one doing the impersonation) is a member of a domain which does not trust the domain of the user account you are trying to impersonate, then impersonation will fail. Anybody who says otherwise, I would love to see proof.

如果您的计算机(进行模拟的计算机)是域的成员,该域不信任您尝试模拟的用户帐户的域,则模拟将失败。任何不这么说的人,我都希望看到证据。

#3


Check out this question, which covers the impersonation issues you need.

查看此问题,其中涵盖了您需要的模拟问题。