这是我上一个问题的后续。
问题
验证传递给
PrincipalContext
的凭据的正确方法是什么?
背景
在我的应用程序中,我使用PrincipalContext(ContextType, String, String, String)
实例化PrincipalContext
。我有许多集成测试在凭据不正确(或提供的凭据不适用于管理员(时失败,因此我希望能够捕获此测试。
如果凭据无效PrincipalContext.ConnectedServer
则抛出System.DirectoryServices.DirectoryServicesCOMException
,但是直到第一次使用主体上下文时才发现。
try
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "wrong_username", "wrong_password");
}
catch (exception e)
{
// This block is not hit
}
// `System.DirectoryServices.DirectoryServicesCOMException` raised here
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, samAccountName)) {}
异常详情:
System.DirectoryServices.DirectoryServicesCOMException
HResult=0x8007052E
Message=The user name or password is incorrect.
Source=System.DirectoryServices
StackTrace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
我尝试了什么
我最初的想法是在创建时检查凭据,但是如果我们使用不同的凭据重用PrincipalContext
,我们会得到一个System.DirectoryServices.Protocols.LdapException
。
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "correct_username", "correct_password");
if (ctx.ValidateCredentials("correct_username", "correct_password"))
{
// `System.DirectoryServices.Protocols.LdapException` raised here
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, different_user)) {}
}
异常详情:
System.DirectoryServices.Protocols.LdapException
HResult=0x80131500
Message=The LDAP server is unavailable.
Source=System.DirectoryServices.Protocols
StackTrace:
at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
正确的方法是什么?
有没有一种公认的方法来测试这一点?我应该尝试将PrincipalContext.ConnectedServer
分配给局部变量并捕获异常吗?
您可以将上下文的实际用法移动到try
块中:
try
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "wrong_username", "wrong_password");
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, samAccountName)) {}
}
catch (exception e)
{
}
如果您打算将该上下文用于其他操作,那么这是我了解如何测试凭据的唯一方法。
但是,如果你的唯一目标是验证凭据,则可以直接使用DirectoryEntry
(从 NuGet 安装System.DirectoryServices
(。您将从堆栈跟踪中看到,PrincipalContext
无论如何都会使用下面的DirectoryEntry
。我发现直接使用DirectoryEntry
无论如何都要快得多,尽管有时使用起来可能更复杂。
以下是仅使用DirectoryEntry
验证凭据的方法:
var entry = new DirectoryEntry("LDAP://domain.local", "username", "password");
//creating the object doesn't actually make a connection, so we have to do something to test it
try {
//retrieve only the 'cn' attribute from the object
entry.RefreshCache(new[] {"cn"});
} catch (Exception e) {
}
另一种方法是直接使用LdapConnection
(从NuGet安装System.DirectoryServices.Protocols
(。这可能是验证凭据时必须发生的最少的实际网络流量。但是您可能需要弄清楚身份验证方法。默认情况下,它使用 Negotiate,但如果这不起作用,则必须使用其他构造函数并手动选择身份验证方法。
var id = new LdapDirectoryIdentifier("domain.local");
var conn = new LdapConnection(id, new NetworkCredential("username", "password"));
try {
conn.Bind();
} catch (Exception e) {
}