公司内的网址是用AD进行验证的,但是现在电脑登陆也用AD ,为了防止自己的帐户哪台机器都可以登陆
就为AD绑定了机器名,只有在自己的机器上才可以登陆. 但是这样之后公司网址就不能随处登陆了,只能在自己机器上登陆,求一解决方法. 这是AD验证代码
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Runtime.InteropServices; //必要引用
using System.Security.Principal; //必要引用
/**//// <summary>
/// UserLoginForDomain 的摘要说明
/// 适用ASP.NET 2.0
/// Windows XP 调试成功
/// 调用”advapi32.dll“win32 API
/// </summary>public class UserLoginForDomain
{
public UserLoginForDomain()
{
//
// TODO: 在此处添加构造函数逻辑
//
} #region【用户登录域】方法 public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
//public const int LOGON32_LOGON_BATCH = 8;
WindowsImpersonationContext impersonationContext; [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
/**//// <summary>
/// 输入用户名、密码、登录域判断是否成功
/// </summary>
/// <example>
/// if (impersonateValidUser(UserName, Domain, Password)){}
/// </example>
/// <param name="userName">账户名称,如:string UserName = UserNameTextBox.Text;</param>
/// <param name="domain">要登录的域,如:string Domain = DomainTextBox.Text;</param>
/// <param name="password">账户密码, 如:string Password = PasswordTextBox.Text;</param>
/// <returns>成功返回true,否则返回false</returns>
public bool impersonateValidUser(String userName, String domain, String password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero; if (LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
return true;
else
return false;
}
else
return false;
}
else
return false;
} public void undoImpersonation()
{
impersonationContext.Undo();
}
#endregion
}
public static bool LogonUserW(
string userName,
string domain,
SecureString password,
LogonType logonType,
LogonProvider logonProvider,
out IntPtr token)
{
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentNullException("userName");
}
if (userName.Length > MAX_USERNAME_LENGTH)
{
throw new ArgumentOutOfRangeException("userName", string.Format("User name {0} is longer than {1} characters", userName, MAX_USERNAME_LENGTH));
}
if ((password != null) && (password.Length > MAX_PASSWORD_LENGTH))
{
throw new ArgumentOutOfRangeException("password", string.Format("Password is longer than {0} characters", MAX_PASSWORD_LENGTH));
}
if ((domain != null) && (domain.Length > MAX_DOMAIN_LENGTH))
{
throw new ArgumentOutOfRangeException("domain", string.Format("Domain {0} is longer than {1} characters", domain, MAX_DOMAIN_LENGTH));
} IntPtr passwordPtr = Marshal.SecureStringToGlobalAllocUnicode(password); try
{
return InternalAdvapi32.LogonUserW(userName, domain, passwordPtr, (int)logonType, (int)logonProvider, out token);
}
finally
{
if (passwordPtr != IntPtr.Zero)
{
Marshal.ZeroFreeGlobalAllocUnicode(passwordPtr);
}
}
}
using System.Runtime.InteropServices; internal static class InternalAdvapi32
{
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool LogonUserW(
string lpszUsername,
string lpszDomain,
IntPtr lpszPassword,
int dwLogonType,
int dwLogonProvider,
out IntPtr phToken);
}
LZ所谓 “公司内的网址是用AD进行验证的”是指这个站点用 Windows 集成验证?2.
DC 限制你的 AD 账户只能登录某些机器,并不影响你的账户登录任何与该AD集成的NTML验证站点,
仅仅是 IE 支持自动发送当前Windows账户给DC完成IIS站点需要的NTML 验证,
你可以手动输入你的AD账号3.
假如 1 2 成立,你先可以在 IE 中设置不让这个站点自动验证
IE > Options > Security > xxx Site > custom level > Logon > prompt for user & pass4.
现在要应用到机器上!实现: 限制AD只能在设定的机器上登陆.其它机器不充许.
网站的验证方式不变(可以在任何一台机器上登陆网站).
问题:现在网站登陆不能随意登陆了.只能在限的机器上.
我现在不想限制登陆网站.只想限制用户登陆某台机器! 求高手解决呀..我真的没有办法了.