[英]MVC Authentication/Authorization with Active Directory in IIS Express
http://forums.asp.net/t/1894061.aspx?ASP+NET+MVC+integration+with+Active+Directory http://forums.asp.net/t/1894061.aspx?ASP+NET+MVC+integration+with+Active+Directory
In regards to the post above. 关于上面的帖子。
I have been trying to implement Active Directory Security using IIS Express for my local development enviornment using Visual Studio 2013. Currently I have modified the IIS Express to allow me to override the authentication methods in the applicationhost.config. 我一直在尝试使用IIS Express为我的本地开发环境使用Visual Studio 2013实现Active Directory安全性。目前我修改了IIS Express以允许我覆盖applicationhost.config中的身份验证方法。 As specified in this post
正如本文所述
IIS Express Windows Authentication IIS Express Windows身份验证
In addtion, I also made the default applicationpool user a valid Domain Administrator. 另外,我还使默认的applicationpool用户成为有效的域管理员。 I modified the Authorize attribute on the Home Controller of a basic MVC Site.
我修改了基本MVC站点的Home Controller上的Authorize属性。 Then on the home controller added the following code, as suggested in the first post I mentioned.
然后在家庭控制器上添加了以下代码,如我在上面提到的第一篇文章中所建议的那样。 The code is below.
代码如下。 When I browse to this page It only shows the groups of the local machine that I belong to.
当我浏览到这个页面它只显示我所属的本地机器的组。 It does not show the groups of the Domain that I belong to.
它不显示我所属的域组。 Because of this I cannot actually Authorize any groups on my Domain only groups that exist locally.
因此,我实际上无法在我的域上仅授权本地存在的组。 Why is that?
这是为什么? Any assistance would be helpful.
任何帮助都会有所帮助。
<h2>Logged in as: @User.Identity.Name</h2>
<h2>Groups</h2>
<ul>
@{
var id = User.Identity as System.Security.Principal.WindowsIdentity;
foreach(var g in id.Groups)
{
var name = g.Translate(typeof(System.Security.Principal.NTAccount)).Value;
var nameWithoutAuthority = name;
var idx = name.IndexOf('\\');
if (idx >= 0)
{
nameWithoutAuthority = name.Substring(idx + 1);
}
<li>@g.Value,
@name,
@User.IsInRole(name),
@nameWithoutAuthority,
@User.IsInRole(nameWithoutAuthority)
</li>
}
}
</ul>
The behaviour you are seeing would appear to be by design, see Which Groups Does WindowsIdentity.Groups Return? 您看到的行为似乎是设计的,请参阅WindowsIdentity.Groups返回哪些组?
To summarise 总结一下
Under the covers, WindowsIdentity populates the groups collection by querying Windows for information on the groups that the user token is a member of.
在幕后,WindowsIdentity通过查询Windows来填充组集合,以获取有关用户令牌所属组的信息。 However, before returning this list, the Groups property filters out some of the returned groups .
但是,在返回此列表之前, “组”属性会筛选出一些返回的组 。
Specifically, any groups which were on the token for deny-only will not be returned in the Groups collection.
具体而言,只有deny-only的令牌上的任何组都不会在Groups集合中返回。 Similarly, a group which is the SE_GROUP_LOGON_ID will not be returned.
同样,不会返回SE_GROUP_LOGON_ID组。
...If you want to retrieve all of the groups however, there's not an easy built-in way for you to do this.
...但是,如果要检索所有组,那么执行此操作并不是一种简单的内置方法。 Instead, you'll have to P/Invoke to the GetTokenInformation API to retrieve the groups yourself.
相反,您必须P / Invoke到GetTokenInformation API以自己检索组。
public static void Main()
{
using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
{
var groups = // Get all of the groups from our account, and translate them from IdentityReferences to NTAccounts
from groupIdentity in currentIdentity.Groups
where groupIdentity.IsValidTargetType(typeof(NTAccount))
select groupIdentity.Translate(typeof(NTAccount)) as NTAccount into ntAccounts
// Sort the NTAccounts by their account name
let domainName = ntAccounts.GetDomainName()
let groupName = ntAccounts.GetAccountName()
orderby domainName
// Group the sorted accounts by the domain they belong to, and sort the grouped groups by domain name
group ntAccounts by domainName into domainGroups
orderby domainGroups.Key
select domainGroups;
foreach (var domainGroups in groups)
{
Console.WriteLine("Groups from domain: {0}", domainGroups.Key);
foreach (var group in domainGroups)
{
Console.WriteLine(" {0}", group.GetAccountName());
}
}
}
}
private static string GetDomainName(this NTAccount account)
{
string[] split = account.Value.Split('\\');
return split.Length == 1 ? String.Empty : split[0];
}
private static string GetAccountName(this NTAccount account)
{
string[] split = account.Value.Split('\\');
return split[split.Length - 1];
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.