[英]ASP.NET User not showing all Active Directory Groups
I am trying to use windows authentication and active directory groups to manage the security within an application. 我正在尝试使用Windows身份验证和活动目录组来管理应用程序中的安全性。 The problem I am running into is that in the code behind of a page I am trying to verify is a user hitting the ASP.NET website is a member of a specific AD group and then showing/hiding a few items based on that.
我遇到的问题是,在我试图验证的页面后面的代码中,用户点击ASP.NET网站是特定AD组的成员,然后根据它显示/隐藏一些项目。 The issue I am running into is that I cannot seem to get all the groups that the user is a member of in order to test.
我遇到的问题是,我似乎无法获得用户所属的所有组以进行测试。 I have included the code below that I am using to list all the groups the user belongs to.
我已经包含了下面的代码,用于列出用户所属的所有组。 This code does return a number of groups, however it is not returning all the groups.
此代码确实返回了许多组,但它没有返回所有组。 I have verified in the AD controller that all the groups appear to be set the same.
我已在AD控制器中验证所有组似乎设置相同。 Any ideas what I am doing wrong?
我有什么想法我做错了吗?
Private Function GetCurrentGroups() As ArrayList
Dim groups As New ArrayList()
For Each group As System.Security.Principal.IdentityReference In System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups
groups.Add(group.Translate(GetType(System.Security.Principal.NTAccount)).ToString())
Next
groups.Sort()
Return groups
End Function
You're not doing anything wrong - you're most likely only seeing the direct group memberships of your user. 你没有做错任何事 - 你很可能只看到你的用户的直接组成员资格。
Any nested membership - User
being member of GroupA
which in turn is member of GroupB
- are typically not shown - so in this case, you would see GroupA
but not GroupB
. 任何嵌套成员资格 -
User
是GroupA
成员,而GroupB
成员又是GroupB
成员 - 通常不会显示 - 所以在这种情况下,您会看到GroupA
而不是GroupB
。
If you really need this information, you'd have to interrogate Active Directory directly (using something like the System.DirectoryServices.AccountManagement
namespace - great MSDN article about using it ). 如果您确实需要此信息,则必须直接询问Active Directory(使用类似
System.DirectoryServices.AccountManagement
命名空间 - 有关使用它的MSDN文章 )。
The S.DS.AM
namespace contains among other things a class UserPrincipal
representing a user in AD, and this class has a method called .GetAuthorizationGroups()
which will return all groups a user is member of - including nested groups. S.DS.AM
命名空间包含表示AD中用户的类UserPrincipal
,此类具有一个名为.GetAuthorizationGroups()
的方法,该方法将返回用户所属的所有组 - 包括嵌套组。
Another possibility is this. 另一种可能性是这个。 Assume that the AD group is G and is in the domain A the User U in domain B is a member of G (this is possible in universal groups) If A trusts B but NOT vice versa, calling G.GetMembers will return the user.
假设AD组是G并且在域A中,域B中的用户U是G的成员(这在通用组中是可能的)如果A信任B但反之亦然,则调用G.GetMembers将返回用户。 However, if you call U.GetGroups will return not return AD group in domain A .
但是,如果您调用U.GetGroups将返回不返回域A中的 AD组。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.