Asp.net集成Windows域账户登陆

-

最近领导让修改一个asp小系统,由于自己对asp.net比较熟悉而对asp很是陌生!虽然asp的源代码也有,只是修改一下实现CRUD即可,但也是很痛苦的一件事啊!于是一上午都在看代码,郁闷ing.由于公司的电脑都是在域中(Microsoft的外包公司,域名就不说了,估计很多都知道的,哈哈),于是突发奇想,能不能通过AD中用户和密码对系统进行身份验证呢?经过Google总算搜出一篇文章来(还是微软网站上的,URL),按照葫芦画瓢总算是在VS2008中调试成功了!顺便分享一下算是自己的经验吧!

1.       创建Web Site,添加一个类,代码如下

 

 1using System;
 2using System.Text;
 3using System.Collections;
 4using System.DirectoryServices;
 5
 6namespace FormsAuth
 7{
 8    public class LdapAuthentication
 9    {
        private String _path;
        private String _filterAttribute;

        public LdapAuthentication(String path)
        {
            _path = path;
        }

        public bool IsAuthenticated(String domain, String username, String pwd)
        {
            String domainAndUsername = domain + @"\" + username;
            DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);

            try
            {    //Bind to the native AdsObject to force authentication.            
                Object obj = entry.NativeObject;

                DirectorySearcher search = new DirectorySearcher(entry);

                search.Filter = "(SAMAccountName=" + username + ")";
                search.PropertiesToLoad.Add("cn");
                SearchResult result = search.FindOne();

                if (null == result)
                {
                    return false;
                }

                //Update the new path to the user in the directory.
                _path = result.Path;
                _filterAttribute = (String)result.Properties["cn"][0];
            }
            catch (Exception ex)
            {
                throw new Exception("Error authenticating user. " + ex.Message);
            }

            return true;
        }

        public String GetGroups()
        {
            DirectorySearcher search = new DirectorySearcher(_path);
            search.Filter = "(cn=" + _filterAttribute + ")";
            search.PropertiesToLoad.Add("memberOf");
            StringBuilder groupNames = new StringBuilder();

            try
            {
                SearchResult result = search.FindOne();

                int propertyCount = result.Properties["memberOf"].Count;

                String dn;
                int equalsIndex, commaIndex;

                for (int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
                {
                    dn = (String)result.Properties["memberOf"][propertyCounter];

                    equalsIndex = dn.IndexOf("=", 1);
                    commaIndex = dn.IndexOf(",", 1);
                    if (-1 == equalsIndex)
                    {
                        return null;
                    }

                    groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
                    groupNames.Append("|");

                }
            }
            catch (Exception ex)
            {
                throw new Exception("Error obtaining group names. " + ex.Message);
            }
            return groupNames.ToString();
        }
    }
}

 

2.       修改Global.ascx文件增加Application_AuthenticateRequest方法,代码如下

 

 1 void Application_AuthenticateRequest(Object sender, EventArgs e)
 2    {
 3        String cookieName = FormsAuthentication.FormsCookieName;
 4        HttpCookie authCookie = Context.Request.Cookies[cookieName];
 5
 6        if (null == authCookie)
 7        {//There is no authentication cookie.
 8            return;
 9        }

        FormsAuthenticationTicket authTicket = null;

        try
        {
            authTicket = FormsAuthentication.Decrypt(authCookie.Value);
        }
        catch (Exception)
        {
            //Write the exception to the Event Log.
            return;
        }

        if (null == authTicket)
        {//Cookie failed to decrypt.
            return;
        }

        //When the ticket was created, the UserData property was assigned a
        //pipe-delimited string of group names.
        String[] groups = authTicket.UserData.Split(new char[] { '|' });

        //Create an Identity.
        System.Security.Principal.GenericIdentity id = new GenericIdentity(authTicket.Name, "LdapAuthentication");

        //This principal flows throughout the request.
        GenericPrincipal principal = new GenericPrincipal(id, groups);

        Context.User = principal;

    }

 

3.       修改Web.config,代码如下

 

 1<system.web>
 2    <authentication mode="Forms">
 3      <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="10" path="/" >
 4      </forms>
 5    </authentication> 
 6    <authorization> 
 7      <deny users="?" />
 8      <allow users="*" />
 9    </authorization> 
    <identity impersonate="true" />
  </system.web>

 

4.       为匿名身份验证配置IIS
默认网站——虚拟目录——目录安全——匿名访问和身份验证——编辑——去掉默认的IUSER账户,IUSER 默认状态下没有访问AD的权限,因此需要替换成一个具有AD访问权限的用户!IIS6和IIS7设置步骤有点不同可以参考下面的图片!

创建Logon.aspx来进行测试了啊,代码伺候!
HTML 代码

 

 

 1<form id="Login" method="post" runat="server">
 2    Your Domain information is:<asp:Label runat="server" ID="Domainname"></asp:Label>
 3   <br />
 4      <asp:Label ID="Label1" Runat=server >Domain:</asp:Label>
 5      <asp:TextBox ID="txtDomain" Runat=server ></asp:TextBox><br>    
 6      <asp:Label ID="Label2" Runat=server >Username:</asp:Label>
 7      <asp:TextBox ID=txtUsername Runat=server ></asp:TextBox><br>
 8      <asp:Label ID="Label3" Runat=server >Password:</asp:Label>
 9      <asp:TextBox ID="txtPassword" Runat=server TextMode=Password></asp:TextBox><br>
      <asp:Button ID="btnLogin" Runat=server Text="Login" OnClick="Login_Click"></asp:Button><br>
      <asp:Label ID="errorLabel" Runat=server ForeColor=#ff3300></asp:Label><br>
      <asp:CheckBox ID=chkPersist Runat=server Text="Persist Cookie" />
    </form>

 

 

 1protected void Login_Click(object sender, EventArgs e)
 2    {
 3        String adPath = "LDAP://Here is the full domain name"; //Fully-qualified Domain Name
 4        LdapAuthentication adAuth = new LdapAuthentication(adPath);
 5        try
 6        {
 7            if (true == adAuth.IsAuthenticated(txtDomain.Text, txtUsername.Text, txtPassword.Text))
 8            {
 9                String groups = adAuth.GetGroups();

                //Create the ticket, and add the groups.
                bool isCookiePersistent = chkPersist.Checked;
                FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, txtUsername.Text,
              DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups);

                //Encrypt the ticket.
                String encryptedTicket = FormsAuthentication.Encrypt(authTicket);

                //Create a cookie, and then add the encrypted ticket to the cookie as data.
                HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

                if (true == isCookiePersistent)
                    authCookie.Expires = authTicket.Expiration;

                //Add the cookie to the outgoing cookies collection.
                Response.Cookies.Add(authCookie);

                //You can redirect now.
                Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
            }
            else
            {
                errorLabel.Text = "Authentication did not succeed. Check user name and password.";
            }
        }
        catch (Exception ex)
        {
           errorLabel.Text = "Error authenticating. " + ex.Message;
        }

    }

 

 由于上面设计比较多的代码，没有贴出图片，下面就是IIS6和IIS7配置的几张截图