如何创建在Active Directory管理角色并限制在我的应用程序页面 [英] How to create admin roles in Active Directory and restrict pages in my application

问题描述

在使用Windows身份验证，我一直在手动创建用户角色/成员存储在SQL我的应用程序（System.Web.Security.SqlRoleProvider在web.config中启用）。

In my application using Windows Authentication, I have been manually creating user roles/ membership stored in SQL (System.Web.Security.SqlRoleProvider enabled in web.config).

 <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="connMembership" applicationName="/" />

但现在，因为我发布的应用，我需要改变使用公司的Active Directory组

But now, as I am releasing the application, I need to change to using the company's Active Directory groups

<add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName"   />

和

    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />

我有两个问题（抱歉，我真的很新的这一切！）

I have two questions (sorry I am really new to all this!)

1），使用ActiveDirectoryMembershipProvider和WindowsTokenRoleProvider现在在我的web.config，我怎么限制用户访问到不同的网页应用程序的？ （即使用Roles.IsUserInRole（用户名，ADGroupName）的唯一途径？

1) using ActiveDirectoryMembershipProvider and WindowsTokenRoleProvider now in my web.config, how do I restrict user access into different pages of the app? (i.e. is using Roles.IsUserInRole(username, "ADGroupName") the only way?

2）如何创建一个管理员之类的使用Active Directory的角色？我问，因为之前（时仍在使用SqlRoleProvider）我是能够创造自己的Admin组对自己添加到SQL有权访问的所有页面/功能

2) How do I create an "admin" kind of role using Active Directory? I am asking because before (when still using SqlRoleProvider) I was able to create for myself an Admin group to add myself to in SQL which has access to all pages/functionalities

i.e Roles.AddUserToRole(userName, Admin). 

但现在，因为我是一个受限制的AD组的一部分，我不知道如何使用某种形式的管理员安全组的覆盖来增加自己。

But now since I am part of a restricted AD group, I don't know how to override with some form of Admin security group to add myself to.

真的AP preciate您的咨询！

WOuld really appreciate your advice!!

谢谢！

推荐答案

这是回答你的问题，如果有另一种方式将限制页面访问，是的，你可以从Web.config

This is to answer your question, if there is another way for putting restriction on the page access, yes you can from the Web.config

在web.config文件中，您可以添加以下的每一页：

In the Web.Config file, you may add the following for each page:

<authentication mode="Windows" />

<location path="MyPage1.aspx">
    <system.web>
      <authorization>
        <allow roles="ActiveDirectoryRoleName" />
        <allow users="DOMAIN\USER1, DOMAIN\USER2" />
        <deny users="*" />
      </authorization>
    </system.web>
</location>

或者，如果你想放的限制在全球的网站，那么：

Or if you want to put the restriction globally for the website, then:

<authentication mode="Windows" />

<authorization>
    <allow roles="ActiveDirectoryRoleName" />
<allow users="DOMAIN\USER1, DOMAIN\USER2" />
    <deny users="*" />
</authorization>

这篇关于如何创建在Active Directory管理角色并限制在我的应用程序页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！