在客户端-服务器应用程序中使用 Active Directory 对用户进行身份验证
我被要求为在我们现有的客户端服务器应用程序中针对 Active Directory 对用户进行身份验证提供支持.
此时,用户从客户端计算机提供用户名和密码,通过线路(加密)传递到我们的服务器进程,并与存储在数据库中的用户名/密码进行匹配.
最初,我认为这将是一个容易解决的问题,因为我可以简单地从我们的服务器进程中针对 Active Directory 验证用户的名称/密码.然而事实证明,用户不必从我们的客户端应用程序输入密码,而是从当前的 Windows 登录会话中获取密码.
我现在面临的问题是如何在没有密码的情况下使用 Active Directory 进行身份验证?我相信一定有一种方法可以以某种方式从客户端到我们的服务器进程,可以用作替代身份验证方法,但到目前为止我的研究一直是空白.
我们的服务器是用 C++ 编写的,所以我们将使用 win32 API.我还打算使用运行 Windows 2008 的虚拟机进行开发和调试 AD LDS - 我希望这足以满足我想要实现的目标.
非常感谢任何帮助或建议.
解决方案你做一个 NTLM/Kerberos/Negotiate SSPI 交换循环.MSDN 上有一个完整的示例,用于 客户端 和 服务器.需要明确的是:您不明确使用任何类型的 LDAP 访问.是与 LDAP 对话并建立客户端身份的 LSA(本地安全机构).如果您成功完成了整个 SSPI 循环,则身份验证已经成功,并且客户端身份已经针对 LDAP 进行了身份验证.如果您的服务器需要知道客户端身份(例如,要知道使用 rname),它会使用 QueryContextAttributes(..., SEPKKG_ATTR_NAMES,...)
并从 SecPkgContext_Names
结构.>
I've been asked to provide support for authenticating users against an Active Directory in our existing client server application.
At the moment a user supplies a user name and password from a client machine, passed over the wire (encrypted) to our server process and matched against a user name/password stored in a database.
Initially, I thought this would be a easy problem to solve, since I could simply authenticate the users' name/password against Active Directory from our server process. However it turns out that users shouldn't have to enter a password from our client application, instead taking it's credentials from the current Windows login session.
I'm now faced with a problem of how to authenticate using Active Directory without having a password? I'm sure there must be a way of somehow passing some sort of "token" from the client to our server process that could be used as an alternative authentication method, but my research so far has drawn a blank.
Our server is written in C++, so we'll be using the win32 API. I also intend to develop and debug this using a virtual machine running Windows 2008 AD LDS - I'm hoping this will be sufficient for what I'm trying to achieve.
Any help or advice is much appreciated.
解决方案You do an NTLM/Kerberos/Negotiate SSPI exchange loop. There is a a full sample on MSDN for both the client and the server. To be clear: you do not use any sort of LDAP access explictily. Is the LSA (Local Security Authority) that talks with LDAP and establishes the identity of the client. If you are succesful in doing the entire SSPI loop, the authentication has succeeded already and the client identity is alread authenticated against the LDAP. If your server needs to know the client identity (eg. to know the use rname) it retrieves it from the security context resulted in the SSPI loop using the QueryContextAttributes(..., SECPKG_ATTR_NAMES,...)
and retrieves the user name from the SecPkgContext_Names
structure.
相关文章