[英]User AD groups not returned when deployed to IIS
I want to authorize a page in C# web application.我想在 C# web 应用程序中授权一个页面。 This page should only be accessed by a users in a particular AD group.
此页面只能由特定 AD 组中的用户访问。 I have the following code and it works perfectly when I run this in debug mode (IIS Express).
我有以下代码,当我在调试模式(IIS Express)下运行它时它工作得很好。 But when I deploy it to my local IIS it doesn't work as expected.
但是当我将它部署到我的本地 IIS 时,它无法按预期工作。 (User groups are always returned
NULL
). (用户组总是返回
NULL
)。
public static List<string> GetAdGroupsForUser(string userName, string domainName = null)
{
var result = new List<string>();
if (userName.Contains('\\') || userName.Contains('/'))
{
domainName = userName.Split(new char[] { '\\', '/' })[0];
userName = userName.Split(new char[] { '\\', '/' })[1];
}
using (PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, domainName, userName, "password"))
using (UserPrincipal user = UserPrincipal.FindByIdentity(domainContext, userName))
using (var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domainContext.Name)))
{
searcher.Filter = String.Format("(&(objectCategory=group)(member={0}))", user.DistinguishedName);
searcher.SearchScope = SearchScope.Subtree;
searcher.PropertiesToLoad.Add("cn");
foreach (SearchResult entry in searcher.FindAll())
if (entry.Properties.Contains("cn"))
result.Add(entry.Properties["cn"][0].ToString());
}
return result;
}
I have referred to lot of answers online.我在网上参考了很多答案。 But couldn't find a proper solution.
但找不到合适的解决方案。 Any help or lead would be highly appreciated.
任何帮助或领导将不胜感激。
Make sure you enabled windows authentication in iis at the site level and rest of the are disabled:确保在站点级别的 iis 中启用了 windows 身份验证,并且禁用了 rest:
Open the “Configuration Editor” for your app/site.打开您的应用程序/站点的“配置编辑器”。
Navigate to the “system.web/authentication” section in Configuration Editor.导航到配置编辑器中的“system.web/authentication”部分。
Set the authentication “mode” to “Windows” and save your changes.将身份验证“模式”设置为“Windows”并保存更改。
Restart IIS to make sure your changes are applied and then test access – only users belonging to the permitted group should have access.重新启动 IIS 以确保应用您的更改,然后测试访问权限 - 只有属于允许组的用户才能访问。
You could also try below code:您也可以尝试以下代码:
public bool AuthenticateGroup(string userName, string password, string domain, string group)
{
if (userName == "" || password == "")
{
return false;
}
try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://" + domain, userName, password);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(objectClass=user)(|(cn=" + userName + ")(sAMAccountName=" + userName + ")))";
SearchResult result = mySearcher.FindOne();
foreach (string GroupPath in result.Properties["memberOf"])
{
if (GroupPath.Contains(group))
{
return true;
}
}
}
catch (DirectoryServicesCOMException)
{
}
return false;
}
you could refer below link for more detail:您可以参考以下链接了解更多详情:
https://serverfault.com/questions/352647/restrict-access-to-iis-site-to-an-ad-group https://serverfault.com/questions/352647/restrict-access-to-iis-site-to-an-ad-group
https://forums.iis.net/t/1226581.aspx https://forums.iis.net/t/1226581.aspx
https://forums.asp.net/t/2152453.aspx?Using+AD+groups+to+authorise+access+to+pages+using+IIS+Windows+Authentication+ASP+NET+Core+2+1 https://forums.asp.net/t/2152453.aspx?Using+AD+groups+to+authorise+access+to+pages+using+IIS+Windows+Authentication+ASP+NET+Core+2+1
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.