Use the Windows Domain to configure the client "0" configuration
Lewolf
Keywords: C / S, Windows Domain, Active Directory, Domain User, Client "0" configuration
Summary: This article mainly makes a C / S structure client program to zero configuration through Windows domain users, reducing client configuration an important initiative to improve client flexibility, convenience, but also to ensure the entire system Safety, reliability.
text:
In a system application of a C / S structure, the client is inevitable needs to be configured to complete the settings such as servers, database access, and other parameters. The client that does not configure cannot be configured to complete the entire system with the server. The zero configuration in this article does not refer to not configured, but in the client, it does not require manual cumbersome and complex configuration, which will be very effective to reduce client maintenance and management for large-scale application systems. Complex. It is difficult to imagine that in the C / S system working in hundreds of clients, because the entire system caused by the DBA routine database access password change, even some workstations are temporarily unable to work, how horror will be.
Deline the network management, abandon frequent system maintenance, strengthen centralized management, improve system security, is the problem that this article will explore. In this article, it will be introduced to use the Windows 2000 Zhongfang (Active Directory) to implement a solution to the client "0" configuration. A large application system currently uses this scenario is safe, smooth operation, and practice proves. A practical solution with practical practical significance.
Application system and domain user verification integration feasibility
One. Windows domain user security
The domain is a new user management system provided by the Windows NT operating system. In Windows 2000 servers, the domain is upgraded to the active directory, and the active directory provides a higher user security mechanism, and provides more active directory-based functions. At the same time, it also strengthens the management function of domain user strategies.
Although in many ways, Windows domain users are not completely reliable, and there are very many security vulnerabilities, as with any operating system, not completely safe and reliable, but unquestionable is how to use Windows domain users As a verification system for the C / S system, you will be able to apply system-level security measures. As long as the operating system is secure, it is basically safe to ensure that our application is safe. From this perspective, use Windows domain users as an application system verification, will increase the security of the system.
two. Application verification
Any C / S structure is inevitable with security and user authentication issues. Most C / S applications require client programs to create user authentication processes, only entering the correct username and password to access the server. .
This is actually a repetition process, because in Windows systems, strict speaking is based on NT technology-based Windows, user authentication is already a strict process, but in Windows 95 and Windows 98 in the Windows series, you can pass Join the domain and achieve strict user authentication processes through a domain user policy. Therefore, the login of Windows is already a strict login process, and the user has completed the confirmation of the user's identity.
However, most applications did not verify Windows as the verification of the program itself, which is not to say that this approach is not feasible. Conversely, if the application and domain user combine, not only the security level of the application itself, but also reduces unnecessary duplicate user verification procedures, of course, at a higher level of security, can be in key operations The process of joining the secondary verification.
three. Implementation of application verification
The so-called client "0" configuration is not to say that the client does not need to be configured, but the configuration information is obtained through the network, and the authentication process of the user's operation authority must be completed while obtaining configuration information. Even if the configuration information is acquired from the network, it is not the existence that the client is completely isolated, but this task we can give the system to do, because the system has completed this operation, the verification method discussed in this article must be domain Running on the network of the controller, and the client must be a member in this domain, which is a basic requirement, otherwise the client will lose the ability to manage on the network, and cannot control the user's accessibility.
In a large Windows-based network application, the domain is indispensable. At the same time, the application of TCP and other TCPs such as DNS, DHCP, WINS are often running in the domain controller, and it is also fully concentrated. Manage, one of the purposes we use the client application to "0" configured to manage all clients completely, without the support of additional network management software.
Implementing the basic element of the client "0" configuration is that the client gets its own login domain controller. This has been implemented in the Windows login process. In the service provided by Windows, this similar service is not provided, we must provide this. It is designed to design a service software for client authentication and access. In the login service, any information you want to obtain by the login service can be provided to the client program, but the most important is the configuration of the database, such as database type, database name, server, database user access, password. Get database access, you can get any complex configuration information in the database.
Domain user verification integration
The application system and domain user integration does not require any initial information, and reaches the "0" configuration of the client, just uses the Windows domain user verification process, and implementing this feature requires three steps. The figure below shows the flow of the entire verification process, and next introduces these three steps respectively.
One. Collect this unit information
You need to integrate the application system and domain users, requiring applications to get login information of the current login user, or run the login information of the user who runs the process, and configuring information in some systems is related to the client running workstation. In these systems, they need not only acquire the user's login information, but also to obtain information about this workstation, the contents and complex parts of this information are different depending on the requirements. But there is a basic information is the user's login information, only this can achieve the purpose of verify user rights.
two. Search login server
In Windows, the authentication and configuration for domain users can also be implemented using login scripts and domain user policies, but so that it is not complete enough for a system. The method described in this article is to use its own login service to complete the client authentication.
The login service is an integral part of the application, which can be run in any NT technology-based Windows, which is usually running more suitable for the domain controller for reasons.
1. In the network containing the domain, the normal domain controller is the core of the network, with a relatively robust hardware facility and software environment, and the usual network contains at least one primary domain controller and a backup domain controller, and after Windows2000 In the event directory, there is usually also have multiple domain controllers (active directory controllers). Therefore, the service running in the domain controller can be guaranteed by the system.
2. The client application is easy to obtain a list of domain controllers without any additional configuration. Although in the operating system of the Windows series, you can get information on the host of the network, but the regular workstation attempts to get the login service, it is obviously unsuitable, only the host of the minority running server operating system is valid. In many server hosts, the domain controller is the best choice because the domain controller is easier to obtain domain information. three. Verify login information and get relevant configuration
One purpose of application system and domain user integration is to reduce the configuration of the client, even "0" configuration, which is not an idea, in fact, for any system, the first step is to confirm is the user's role, usually a role The members have different operational permissions and capabilities to the system, and naturally contain restrictions on database access, and usually this role is included in user management of the database, but the client needs to get this role, first need to access it. The database, this brings a contradiction, or the client needs to configure the database access information of the appropriate permissions, or the database access to the client is fully controlled. This obviously tested the system's robustness.
Using Windows domain verification can solve this embarrassing problem, of course, in many database products, you can choose user authentication and system authentication, but this is easy to cause the right to flood, in this paper, database access is not compliant with system user authentication, Even databases run on a standalone domain controller or non-domain controller, depending on whether users in any domain cannot obtain direct access to the database.
In Windows NT or later, three basic roles (user groups) are specified in the domain users: administrators, ordinary user groups, and visitors, but the system provides users with the ability to customize user groups, Windows is used. 2 bytes 16 represent user groups, that is, up to 64K user groups that can be combined with independent permissions or independent role properties, while usual application systems offer up to 4 ~ 5 User roles It is already enough. Therefore, we can use the role of the domain user to determine the role in database access, and assign a database access username and password to different privileges based on the group of login domain users.
In addition, in Windows's server version, the work of joining domains also has strong management capabilities, and for workstation management and domain users, it is also possible to store the authority of the workstation and the configuration information of different workstations in the database. In this way, it can also apply the dependencies between the system and the operating system.
Related system functions
The main API functions used in the methods described herein are as follows:
Client
Netwkstauserenum
The user gets the login information of the user currently logged in or the user runs the current process, and the login information used is the user name and the login domain. The data result used is
_WKSTA_USER_INFO_1 Structure
Gethostname
The user obtains the name of the workstation of the unit and submits workstation information to the server.
NetServerenum
The user enumerates the computer in the network, which uses this function to enumerate the controller in the domain, as a domain controller as a server of the login service.
Server
NetServerenum
Used to enumerate domains, domain controllers, etc.
Gethostname
Get the name of this machine
Netuserenum
Used to get a list of domain controllers, namely domain users list, and roles.
Netgroupenum
The user obtains a list of domain controllers, ie, custom user roles.
Netwkstauserenum
Used to obtain a user list of logged in to specify domain controllers, when the user submits login information, to the login field submitted to verify the user's login information, which is not a necessary operation, but avoids and prevents attempting to pass illegal means, Switch the same physical network to deceive the behavior of the login service. in conclusion
Practice has proven that this verification method improves the management capabilities of the client, improves the consistency and availability of the system, and can also extend the functionality of each client using the login service. But at the same time, this way also brings some drawbacks and disadvantages, mainly below:
1. Not suitable for Windows 95 and 98 systems, the NetWkstauseRenum function used in the client is new, this strong user authentication function is only guaranteed by NT technology based systems, and the instance operations based on this article The system is all Windows 2000.
2. Software related to some domain users may have conflicts, such as network anti-virus software that is based on domain-based user-logged scripts based on the domain user-logged script, may conflict in the client's user authentication.
3. Must run in the network containing the domain, and the client is required to run the workstation that runs the joined domain, although the client program can be run as a domain user via the Run AS function, but it is recommended to join the domain.
4. Reduce the client's login process, but also enable the client to open the operating system, any legal job of any legal user login can start and run the client smoothly, but this is not a very serious problem because of the security Always based on operator security awareness, cultivating good operating habits and security awareness is the fundamental of solving problems, the operation of partial requirements, can join secondary certification measures to solve this problem.
The instance source code in this article involves commercial confidentiality, not available, and the primary API function can be referred to in the Windows SDK to get a detailed introduction.
