我有两个 Active Directory 域,A 和 B.域 A 中的用户需要在他们的桌面上运行应用程序来查看和操作位于域 B 中服务器上的资源.每个用户在域 B 中也有一个帐户.是否可以模拟每个用户的域 B 身份以编程方式对域 B 资源执行操作?
I have two Active Directory domains, A and B. Users in domain A need to run an application on their desktops to view and manipulate a resource located on a server in domain B. Each user also has an account in domain B. Is it possible to impersonate each user's domain B identity to perform operations on the domain B resource programatically?
示例工作流程:
我将谈论 Win32 API,但我很确定您可以从 .NET 调用这些 API.检查 http://pinvoke.net.
I'm going to speak in terms of Win32 APIs, but I'm pretty sure you can p/invoke to these from .NET. Check http://pinvoke.net.
您需要调用 LogonUser API 来创建代表用户域 B 凭据的访问令牌.
You need to call the LogonUser API to create an access token that represents the user's domain B credentials.
然后您调用 ImpersonateLoggedOnUser,传入该访问令牌.调用线程将模拟域 B 凭据,直到您模拟一组不同的凭据或调用 RevertToSelf API.
Then you call ImpersonateLoggedOnUser, passing in that access token. The calling thread will impersonate the domain B credentials until you impersonate a different set of credentials or call the RevertToSelf API.
我想不用说,为了使 LogonUser 调用成功,您运行的机器需要信任域 B.
I guess it goes without saying that, for the LogonUser call to succeed, the machine you're running on will need to trust domain B.
这篇关于我可以在 .NET 中模拟不同 Active Directory 域上的用户吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持html5模板网!