问题
I am building a Winform App which includes an App server using C#. It's for a corporate client of mine and the client has it's own windows domain.
However, the app server will NOT be in their domain. The app will sit in a cloud VM.
The client (like any client) wants to make things easy for their users. They want to use their user's windows Id. They don't want their users having to log in again to access my App. As long as the user is part of a windows domain group, he/she should be given access to the app without the need to type in a password.
I'm wondering if this can be done since my App Server is NOT part of their domain.
If so, how?
回答1:
Sure, there are a couple options.
Federation -- use a federation protocol like SAML/WS-Fed, or similarly OpenID Connect. Your app server accepts a token from an Identity Provider that is based on the internal user identity. Active Directory offers ADFS and Azure AD. There are also other good third party services that do the same thing.
Kerberos -- Use a library like Kerberos.NET to accept Kerberos tickets. You need to configure a service principal in their domain for the key and SPN, and then configure your app to accept tickets using the key. You can also use builtin Windows functions SSPI, but that requires a fair bit of work outside of domain environments.
var authenticator = new KerberosAuthenticator(new KeyTable(File.ReadAllBytes("sample.keytab")));
var identity = authenticator.Authenticate("YIIHCAYGKwYBBQUCoIIG...");
Assert.IsNotNull(identity);
var groups = identity.Claims.Where(c => c.Type == ClaimTypes.GroupSid);
回答2:
NTLM would used as a fallback in cases where Kerberos (normal domain authentication method amongst domain-joined computers) is not available. Reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx http://en.wikipedia.org/wiki/NTLM
来源:https://stackoverflow.com/questions/62546868/can-an-application-server-outside-a-windows-domain-verify-a-user-of-that-domain