将.NET MVC应用程序中的User.Identity映射到活动目录用户
[英]Mapping User.Identity in .NET MVC app to active directory user
问题描述
I'm writing a .NET MVC 5 app which is on an intranet, uses Windows Authentication and needs to query Active Directory to see what groups are available and then check if a user is in that role. 
我正在编写一个内部网上的.NET MVC 5应用程序,使用Windows身份验证,需要查询Active Directory以查看可用的组,然后检查用户是否在该角色中。
The source of group and user names will be active directory. 组和用户名的来源将是活动目录。 I then need to check identity and membership using .NET Identity. 然后,我需要使用.NET Identity检查身份和成员身份。 I'm not sure what fields map to what. 我不确定哪些字段映射到什么。
Fields of interest in AD seem to be: AD中感兴趣的领域似乎是:
- SamAccountName: I think this is the username that I get from User.Identity, but the docs say that this property is: The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. SamAccountName:我认为这是我从User.Identity获得的用户名,但是文档说这个属性是: 用于支持运行早期版本操作系统的客户端和服务器的登录名,例如Windows NT 4.0,Windows 95 ,Windows 98和LAN Manager。
- CN: A displayable version of the user's name CN:用户姓名的可显示版本
- objectGUID: An identifier for a user or group that won't change. objectGUID:不会更改的用户或组的标识符。 Important as users will change their username if their surname changes. 重要的是,如果用户姓氏发生变化,用户将更改其用户名。
So, I think SamAccountName == User.Identity.Name , but the docs say that SamAccountName is for earlier operating systems. 所以,我认为SamAccountName == User.Identity.Name ,但文档说SamAccountName适用于早期的操作系统。 Does this effectively mean this is deprecated and I should be using something else? 这是否有效意味着这已被弃用,我应该使用别的东西?
Also, are my assertions about CN and objectGUID correct? 我的关于CN和objectGUID的断言是否正确?
1 个解决方案
解决方案1
3 已采纳 2014-01-23 11:07:49
First step: setting the parameters to use AD: 第一步:设置参数以使用AD:
In your the section of your web.config file, set the following: 在web.config文件的部分中,设置以下内容:
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
Now, you will be able to directly use methods from the System.Web.Security namespace. 现在,您将能够直接使用System.Web.Security命名空间中的方法。
If you want to restrict the access to a View to only people members of the "groupName" group of your AD: 如果要将对View的访问权限仅限于AD的“groupName”组的成员:
You only have to decorate your controller action like that: 你只需要像这样装饰你的控制器动作:
[Authorize(Roles = @"DOMAIN\groupName")]
Public ActionResult Index()
{...}
If you want to do treatments based on the AD groups of users: 如果您想根据AD用户群进行治疗:
Use methods such as "IsInRole(rolename)" in your treatments: 在治疗中使用“IsInRole(rolename)”等方法:
if (User.IsInRole("DOMAIN\\groupName"))
{
// Do what you want
}
EDIT: implementation of the problematic: here you should save the sAMAccountName of the group affected to your task when you create the task. 编辑:有问题的实现:在这里,您应该在创建任务时保存受影响的组的sAMAccountName。 Then when a user wants to mark the task as complete, just check: 然后,当用户想要将任务标记为完成时,只需检查:
if (User.IsInRole("DOMAIN\\" + sAMAccountNameOfTheGroupDedicatedToYourTask))
{
// Mark as complete
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.