使用Windows身份验证拒绝访问[授权（角色=＆QUOT;管理员和QUOT） [英] Access denied for [Authorize(Roles = "Administrators")] using Windows Authentication

问题描述

我有一个使用Windows身份验证来限制用户访问一个ASP.NET MVC 4个网站。
在控制器 [授权（角色=管理员）] 被应用。

I have an ASP.NET MVC 4 site that uses Windows Authentication to restrict user access. On the controller [Authorize(Roles = "Administrators")] is applied.

该网站是我从IIS本地机器上运行。
当（从我的本地机器上也可以）访问访问该网站被拒绝，即使我的用户帐户是管理员组的成员。

The site is running on my local machine from IIS. When accessing the site (also from my local machine) access is denied, even though my user account is member of the administrator group.

我试过指定 BUILTIN \\管理员的建议在这个职位：<一href=\"http://stackoverflow.com/questions/8645846/how-do-i-make-authorizeattribute-work-with-local-administrators-group-in-asp-net\">How做我做AuthorizeAttribute本地Administrators组中的ASP.NET MVC 3 Intranet应用程序工作？
 但没有成功。

I've tried specifying the "BUILTIN\Administrators" as suggested in this post: How do I make AuthorizeAttribute work with local Administrators group in ASP.NET MVC 3 intranet application? but without success.

如果我创造这样一个新组 TestGroup 我的用户帐户分配到组，并使用 [授权（角色=TestGroup）] 我的控制器 - 我就能够访问控制器

If I create a new group like "TestGroup", assign my user account to the group and use [Authorize(Roles = "TestGroup")] on my controller - I'm then able to gain access to the controller.

有没有在管理员组一些特殊的限制（出于安全原因，也许？），还是有其他任何可能影响使用管理员组的？

Is there some special restriction on the Administrator group (for security reasons maybe?), or is there anything else that could influence the use of the Administrator group?

推荐答案

通过列出你目前的身份ASP.NET里面的索赔：

By listing the Claims inside your current ASP.NET Identity:

(System.Web.HttpContext.Current.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray();

您将看到管理员组（ 的SID：S-1-5-32 -544）有型的索赔 denyonlysid 。到调用User.IsInRole（管理员）然后将失败。

you will see that for the Administrators group (SID: S-1-5-32-544) there is a claim of type denyonlysid. The call to User.IsInRole("Administrators") will then fail.

整点，我认为，是当前用户是从来没有真正的Administrators组的一部分，除非你关闭UAC和/或运行浏览器的作为管理员的

The whole point, I think, is that the current user is never truly part of the Administrators group, unless you turn off UAC and/or run your browser as an administrator.

我已经做了两个那些事（浏览器是火狐NTLM在本地主机上启用）和TA-大新，一切按预期工作：

I have done both those things (browser is Firefox with NTLM enabled on localhost) and ta-dah, everything works as expected:

System.Web.HttpContext.User.IsInRole("Administrators")  
true
(System.Web.HttpContext.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray()
{System.Security.Claims.Claim[19]}
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: Domain\Mauro}
[...]
[8]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-544}

作为最终音符，你不应该使用管理员组基于声明的身份验证。更好地介绍自定义域/本地组。

As an end note, you should not use the Administrator group for claims based authentication. Better to introduce custom domain/local groups.

只是我的2美分。

这篇关于使用Windows身份验证拒绝访问[授权（角色=＆QUOT;管理员和QUOT）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！