使用Windows身份验证和活动目录组作为角色
[英]using windows authentication with active directory groups as roles
问题描述
I've read several questions on this topic, such as here , here , here and here ; 
我已经阅读了关于这个主题的几个问题,比如这里 , 这里 , 这里和这里 ; but none have provided a working solution in my case. 但在我的案例中没有一个提供了有效的解决方案。
What I want to do: 我想做的事:
Implement Windows authentication for a web app that is only used by our own employees. 为仅由我们自己的员工使用的Web应用程序实施Windows身份验证。 This way they should not need to log into the app, but already be authenticated by way of having logged into windows. 这样他们就不需要登录应用程序,但已经通过登录Windows进行身份验证。
Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to. 此外,我需要根据用户可能分配到的Active Directory安全组来限制应用程序的某些区域。
So I want to be able to decorate Controllers / Actions with 所以我希望能够装饰Controllers / Actions
[Authorize(Roles="SomeRole")]
What I've tried: 我尝试过的:
I have 我有
<authentication mode="Windows" />
in my web.config. 在我的web.config中。 And I have added several permutations of a <roleManager> as found in some of the posts linked to above. 我添加了一些<roleManager>排列,如上面链接的一些帖子中所示。 Currently I have this role manager 目前我有这个角色经理
<roleManager defaultProvider="WindowsProvider"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
as found in this post. 在这篇文章中找到。
As it is, if I decorate a controller with [Authorize] , I can access it fine. 事实上,如果我用[Authorize]装饰一个控制器,我可以很好地访问它。
However: 然而:
I can see in my user settings on the network, that I am part of a AD security group called "IT". 我可以在网络上的用户设置中看到,我是名为“IT”的AD安全组的成员。 But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. 但是,如果我使用[Authorize(Roles="IT")]装饰相同的控制器,我将获得由asp.net开发服务器为未经授权的401服务的空白屏幕。 This is unexpected. 这是出乎意料的。 I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT". 我认为我应该能够查看页面,因为我登录到Windows并且是“IT”组的一部分。
Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here. 我在这个主题上发现的大部分内容都让我觉得很难完成我想要做的事情,但我在这里显然遗漏了一些东西。
1 个解决方案
解决方案1
38 2013-06-21 01:34:51
For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. 对于开发人员,我使用IISExpress与MVC项目的开发服务器属性设置,以便禁用匿名身份验证并启用Windows身份验证。 The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well. 使用我们的TFS构建服务器部署Web配置,以测试和释放服务器,其身份验证也如上所述,并且也在这些位置工作。
In my web.config I have. 在我的web.config中我有。
<system.web>
....
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
....
</system.web>
I can use 我可以用
[Authorize(Roles = @"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}
or 要么
public ActionResult Index()
{
var User = System.Web.HttpContext.Current.User;
if (User.IsInRole("DOMAIN\\ADGroup"))
{
return RedirectToAction("IRSAdmin");
}
return View();
}
After i remember to logoff and log back in so the permission i was given to the AD group were applied. 在我记得注销并重新登录之后,应用了给予AD组的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.