堆栈内存溢出
  简体   繁体   English

带有Active Directory的ASP.NET:用户凭据

[英]ASP.NET with Active Directory: User Credentials

 原文  2015-01-09 21:06:18       asp.net/ vb.net/ iis/ active-directory

问题描述

I am an ASP.NET newbie and creating an inhouse application (will be used by 10 users inside group). 我是ASP.NET新手,正在创建内部应用程序(组中的10个用户将使用该应用程序)。 One of the objective is to add users to Active Directory group. 目标之一是将用户添加到Active Directory组。 For audit purpose, the app-users should do the AD change with there own credentials (and not with common id created for this sole purpose).The website is hosted on Windows Server 2008 R2/IIS 7.0 and everything is in enterprise domain. 出于审核目的,应用程序用户应使用自己的凭据进行AD更改(而不是为此目的创建通用ID)。该网站托管在Windows Server 2008 R2 / IIS 7.0上,所有内容都在企业域中。

IIS Settings: IIS设置:
Application Pool Name: UserAppMapping, Integrated, ApplicationPoolIdentity 应用程序池名称:UserAppMapping,Integrated,ApplicationPoolIdentity

Authentication: ASP.NET Impersonation and Windows Authentication only are Enabled. 身份验证:仅启用ASP.NET模拟和Windows身份验证。

VB.NET Code (i have removed all error checking so I can see the actual error): VB.NET代码(我已经删除了所有错误检查,所以我可以看到实际的错误): 

Public Sub AddUserToGroup(userId As String, groupName As String, Optional GroupDN As String = "")

        Using (HostingEnvironment.Impersonate())

            Dim domainName As String = "DOM"

            Dim ou = [String].Format(CultureInfo.InvariantCulture, "dc={0},dc=myorg,dc=com", domainName)

            Dim domain = [String].Format(CultureInfo.InvariantCulture, "{0}.myorg.com", domainName)

            Using insPrincipalContext = New PrincipalContext(ContextType.Domain, domain, ou)
                If insPrincipalContext IsNot Nothing Then
                    Dim insGroupPrincipal As GroupPrincipal = GroupPrincipal.FindByIdentity(insPrincipalContext, System.DirectoryServices.AccountManagement.IdentityType.Name, groupName)

                    Dim user As UserPrincipal = UserPrincipal.FindByIdentity(insPrincipalContext, userId)

                    If insGroupPrincipal IsNot Nothing Then
                        'add user to group
                        If user.IsMemberOf(insGroupPrincipal) Then
                            LabelErr.Text = userId + " is already part of " + groupName
                        Else
                            insGroupPrincipal.Members.Add(user)
                            insGroupPrincipal.Save()
                            Label1.Text = "User added successfully"
                        End If
                    Else
                        Label1.Text = "Cannot retrieve information about " + groupName + " from Active Directory"
                    End If
                Else
                    Label1.Text = "Principal Context is Null"
                End If
                insPrincipalContext.Dispose()
            End Using
        End Using
    End Sub

` `

Problem : 问题

Everything works fine but when following lines are encountered in the code: 一切正常,但是在代码中遇到以下几行时:

insGroupPrincipal.Members.Add(user) insGroupPrincipal.Members.Add(用户)
insGroupPrincipal.Save() insGroupPrincipal.Save()

The application prompts for user credentials. 该应用程序提示输入用户凭据。 While I understand the code in this function is running under the context of Windows Identity “IIS APPPOOL\\UserAppMapping”, it will prompt for credentials which has access to Active Directory. 当我了解此函数中的代码在Windows标识“ IIS APPPOOL \\ UserAppMapping”的上下文中运行时,它将提示输入可以访问Active Directory的凭据。 Is there a way for app user to modify the AD groups (I am assuming the user can modify the groups directly in AD) without typing extra credentials? 应用程序用户是否可以修改AD组 (我假设用户可以直接在AD中修改组) 而无需键入额外的凭据?

If I remove "Using (HostingEnvironment.Impersonate())" from the code, it fails right away when GroupPrincipal.FindByIdentity is encountered. 如果我从代码中删除“使用(HostingEnvironment.Impersonate())”,遇到GroupPrincipal.FindByIdentity时,它将立即失败。

The web.config is set with: web.config设置为:

authentication mode="Windows" 身份验证模式=“ Windows”
identity impersonate="true" 身份冒充=“ true”

Thanks in advance. 提前致谢。

1 个解决方案

解决方案1
 0  2015-01-11 01:21:46

Do the following. 请执行下列操作。

  1. Make sure that IIS Authentication is set to Windows Auth=enabled, Anonymous=false. 确保将IIS身份验证设置为Windows Auth = enabled,Anonymous = false。 This is required in addition to the web.config. 除web.config外,这是必需的。

Step 2: You need an account has higher rights in AD than ApplicationPoolIndentity. 步骤2:您需要在AD中具有比ApplicationPoolIndentity更高的权限。

  1. You need a Network Account to perform the AD work. 您需要一个网络帐户来执行AD工作。 Create a new network account and then in your application pool in IIS change it from ApplicationPoolIndentity to Custom Account. 创建一个新的网络帐户,然后在IIS的应用程序池中将其从ApplicationPoolIndentity更改为“自定义帐户”。 Then enter your new AD Account and password. 然后输入新的AD帐户和密码。 (I would suggest making that AD Account password never expires) (我建议使AD帐户密码永不过期)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从Sharepoint Active Directory获取用户凭据,然后在ASP.Net中使用它 - Get user credentials from Sharepoint Active Directory then use it in ASP.Net ASP.Net(IIS 7.5)查询没有用户凭据的Active Directory - ASP.Net (IIS 7.5) Querying Active Directory without User Credentials 在Asp.net中的Active Directory上对用户进行身份验证 - Authenticate User on Active Directory in Asp.net 使用Active Directory域凭据asp.net进行自动身份验证 - Auto authentication using Active Directory domain credentials asp.net ASP.NET错误从Active Directory获取用户详细信息 - ASP.NET error getting user details from Active Directory 如何从asp.net中的活动目录中删除用户帐户 - how to remove user account from active directory in asp.net ASP.NET-检测用户是否通过Active Directory进行了身份验证? - ASP.NET - Detect if user is authenticated with Active Directory? 访问Active Directory以在asp.net中获得用户管理器 - Accessing Active Directory to get User's Manager in asp.net 查找用户是否是 Active Directory 组 ASP.NET VB 的成员? - Find If User is Member of Active Directory Group ASP.NET VB? 如何在ASP.NET页面上检测Active Directory用户 - How to detect Active Directory user on ASP.NET page
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM