ASP.NET用户未显示所有Active Directory组
[英]ASP.NET User not showing all Active Directory Groups
问题描述
I am trying to use windows authentication and active directory groups to manage the security within an application. 
我正在尝试使用Windows身份验证和活动目录组来管理应用程序中的安全性。 The problem I am running into is that in the code behind of a page I am trying to verify is a user hitting the ASP.NET website is a member of a specific AD group and then showing/hiding a few items based on that. 我遇到的问题是,在我试图验证的页面后面的代码中,用户点击ASP.NET网站是特定AD组的成员,然后根据它显示/隐藏一些项目。 The issue I am running into is that I cannot seem to get all the groups that the user is a member of in order to test. 我遇到的问题是,我似乎无法获得用户所属的所有组以进行测试。 I have included the code below that I am using to list all the groups the user belongs to. 我已经包含了下面的代码,用于列出用户所属的所有组。 This code does return a number of groups, however it is not returning all the groups. 此代码确实返回了许多组,但它没有返回所有组。 I have verified in the AD controller that all the groups appear to be set the same. 我已在AD控制器中验证所有组似乎设置相同。 Any ideas what I am doing wrong? 我有什么想法我做错了吗?
Private Function GetCurrentGroups() As ArrayList
Dim groups As New ArrayList()
For Each group As System.Security.Principal.IdentityReference In System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups
groups.Add(group.Translate(GetType(System.Security.Principal.NTAccount)).ToString())
Next
groups.Sort()
Return groups
End Function
2 个解决方案
解决方案1
7 已采纳 2012-01-06 21:48:03
You're not doing anything wrong - you're most likely only seeing the direct group memberships of your user. 你没有做错任何事 - 你很可能只看到你的用户的直接组成员资格。
Any nested membership - User being member of GroupA which in turn is member of GroupB - are typically not shown - so in this case, you would see GroupA but not GroupB . 任何嵌套成员资格 - User是GroupA成员,而GroupB成员又是GroupB成员 - 通常不会显示 - 所以在这种情况下,您会看到GroupA而不是GroupB 。
If you really need this information, you'd have to interrogate Active Directory directly (using something like the System.DirectoryServices.AccountManagement namespace - great MSDN article about using it ). 如果您确实需要此信息,则必须直接询问Active Directory(使用类似System.DirectoryServices.AccountManagement命名空间 - 有关使用它的MSDN文章 )。
The S.DS.AM namespace contains among other things a class UserPrincipal representing a user in AD, and this class has a method called .GetAuthorizationGroups() which will return all groups a user is member of - including nested groups. S.DS.AM命名空间包含表示AD中用户的类UserPrincipal ,此类具有一个名为.GetAuthorizationGroups()的方法,该方法将返回用户所属的所有组 - 包括嵌套组。
解决方案2
0 2014-08-01 07:50:23
Another possibility is this. 另一种可能性是这个。 Assume that the AD group is G and is in the domain A the User U in domain B is a member of G (this is possible in universal groups) If A trusts B but NOT vice versa, calling G.GetMembers will return the user. 假设AD组是G并且在域A中,域B中的用户U是G的成员(这在通用组中是可能的)如果A信任B但反之亦然,则调用G.GetMembers将返回用户。 However, if you call U.GetGroups will return not return AD group in domain A . 但是,如果您调用U.GetGroups将返回不返回域A中的 AD组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.