问题
Possible Duplicate:
Authenticating users using Active Directory in Client-Server Application
I'm attempting a single sign-on approach in my program using unmanaged C++, and need to determine if the current windows user is authenticated in my domain. If I can find a way to know that the user has been authenticated, I'll allow him into my desktop application without requiring a password (usernames are the same in my app and on domain).
I can authenticate directly against Active Directory using ADsOpenObject(), but that requires username, password and privileges, I need to do it only with a username, and no input from the user himself.
With .net I could use something from System.DirectoryServices, like in this thread.
As far as I've found out, this task may involve analyzing Windows security kerberos tokens to do properly. This was thoroughly discussed in this thread and touched upon for Java in this thread. Though I do not need strict SSO, since my app does not try to access anything related to domain.
Is the SSPI ticket way the only way, or can I exploit some property of ADSI/WinLogon/CredentialsCache to make it work?
回答1:
This is a very simple way, but if you check the environment variables for the user :
On a Workgroup :
COMPUTERNAME=JPBHPP2
LOGONSERVER=\\JPBHPP2
USERDOMAIN=JPBHPP2
On a Domain
COMPUTERNAME=WM2008R2ENT
LOGONSERVER=\\WM2008R2ENT
USERDNSDOMAIN=DOM.FR
USERDOMAIN=DOM
Here it's not so evident because the user is loged on the server but the USERDOMAIN is different from COMPUTERNAME
There is also GetUserNameEx API that can do the job
BOOLEAN WINAPI GetUserNameEx(
__in EXTENDED_NAME_FORMAT NameFormat,
__out LPTSTR lpNameBuffer,
__inout PULONG lpnSize
);
回答2:
You could use ADsGetObject function - if you want to bind with current credentials - and check if the user is authenticated in a specific domain.
来源:https://stackoverflow.com/questions/7663439/how-to-determine-if-logged-on-windows-account-has-been-authenticated-on-domain