Active Directory组成员检查在.net 4.5 [英] Active Directory Group Membership Checking in .Net 4.5
问题描述
我使用Windows身份验证的ASP.Net MVC应用程序,我检查组成员对安全的控制措施。
I have an ASP.Net MVC application using Windows Authentication, and I am checking group membership for security on controller actions.
简单,因为它的声音,我发现能解决我遇到的问题,没有其他问题。
Simple as it sounds, I've found no other Question that can resolve the problem I am experiencing.
经典的方法是简单地拍上的控制器操作的授权
数据标注属性,去镇:
The classic method is to simply slap an Authorize
data annotation attribute on the controller action and go to town:
[Authorize(Roles = @"domain\groupName1")]
没有骰子。提示我输入凭据。通常,这意味着什么是错的Windows身份验证配置,但它的设置罚款:(1) HttpContext.User中
是的WindowsPrincipal
对象,和(2)本人确认另一种已知的组名的工作原理。
No dice. I am prompted for credentials. Usually this means something is wrong with the Windows Authentication configuration but it's setup fine: (1) HttpContext.User
is a WindowsPrincipal
object, and (2) I confirmed another known group name works.
采取的下一个步骤是去一个更老式的航线,并使用 IPrincipal.IsInRole()
,又一遍,返回假
,其他真
。
The next step taken was to go a more old fashioned route and use IPrincipal.IsInRole()
, and again, one returns false
, the other true
.
var wp = (WindowsPrincipal)User;
// false
var inGroup1 = wp.IsInRole(@"domain\groupName1");
// true
var inGroup2 = wp.IsInRole(@"domain\groupName2");
难倒...所以我打了我的系统,书呆子,我们仔细检查了一切。用户是一个组的成员?是。集团名称拼写是否正确?是。下一步骤是将抽丝的SID。
Stumped... so I hit up my systems nerds and we double check everything. User is a group member? Yes. Group name is spelled correctly? Yes. The next step was to snag the SID.
在我的控制器我检查的WindowsIdentity
,并期待通过集团回收的麻烦组的SID:
In my controller I check the WindowsIdentity
and look through the group collection for the SID of the troublesome group:
var wi = (WindowsIdentity)wp.Identity;
var group = wi.Groups.SingleOrDefault(g => g.Value == "group1-sidValue");
在组
变量是的SecurityIdentifier
对象。因为它不为空,我们可以肯定,这个当前用户是该组的成员,无论是 [授权()]
或 IsInRole( )
尝试失败确认。
The group
variable is the SecurityIdentifier
object. Because it is not null, we can be certain that this current user is a member of the group that both the [Authorize()]
or IsInRole()
attempts fail to confirm.
在这一点上,我要疯了,并添加引用AccountManagement的API。我搜索域上下文 GroupPrincipal
按名称和SID:
At this point, I'm going nuts and add reference to the AccountManagement APIs. I search the domain context for the GroupPrincipal
by both name and SID:
变种PC =新PrincipalContext(ContextType.Domain,域); VAR gp1byName = GroupPrincipal.FindByIdentity(PC,groupName1) VAR gp1bySid = GroupPrincipal.FindByIdentity(PC,IdentityType.Sid,组1 - sidValue);
var pc = new PrincipalContext(ContextType.Domain, "domain"); var gp1byName = GroupPrincipal.FindByIdentity(pc, "groupName1") var gp1bySid = GroupPrincipal.FindByIdentity(pc, IdentityType.Sid, "group1-sidValue");
这两个组的主要变量是成熟与同一个对象,我通过观察变量验证主体的成员
集都包含一个 UserPrincipal
上相同的SID为当前的WindowsPrincipal
的HttpContext
对象。
Both group principal variables are ripe with the same object, and I verified through a watch variable that the principal's Members
collection contains a UserPrincipal
object with the same SID as the current WindowsPrincipal
on HttpContext
.
在什么该死的我错过这里?为什么这两个角色检查方法不能当它是普通的和明确的,通过物体探测用户是该给定组的有效成员?
What in the hell have I missed here? Why would both role checking methodologies fail when it is plain and clear through object exploration that the user is a valid member of this given group?
事实上,一组检查罚款和其他不似乎是最奇怪的一部分,在这一点上。
The fact that one group checks fine and the other does not seems the most strange part at this point.
请帮忙。
推荐答案
从本质上讲这是翻译问题的的WindowsIdentity
和 NTACCOUNT
(这两个System.Security.Principal),最后,实际的Active Directory条目。
Answer:
Essentially it's translation issues between WindowsIdentity
and NTAccount
(both of these System.Security.Principal) and lastly, the actual Active Directory entry.
在验证一个的WindowsIdentity
对广告,如果你想用什么比山姆或希德等,您将需要使用系统。 DirectoryServices.AccountManagement
。
When validating a WindowsIdentity
against AD, if you want to use anything other than the Sam or the Sid, you will need to use System.DirectoryServices.AccountManagement
.
警告:在.NET中4.5的安全主体包括索赔,但是这是断章取义的
在Windows身份验证的Web应用程序, HttpContext.User中
是的WindowsPrincipal
对象包装一个基本的的WindowsIdentity
。
In a Windows Authenticated web application, HttpContext.User
is a WindowsPrincipal
object wrapping an underlying WindowsIdentity
.
的WindowsIdentity
为大多数的意图和目的只有两个属性与身份验证的用户可以识别:名称
和用户
。
WindowsIdentity
has for most intents and purposes only two properties with which the authenticated user can be identified: Name
and User
.
这些特性转化为对身份的相应的AD帐户条目两个属性:
These properties translate to two properties on the identity's corresponding AD account entry:
WindowsIdentity.Name
= SAM帐户
WindowsIdentity.User
= SID
在 [授权]
过滤属性最终调用 IsInRole(字符串角色)
标的本金...和在 IsInRole()
字符串超负荷实例化一个 NTACCOUNT
与作用
(以下简称SAM帐户在AD输入)。
The [Authorize]
filter attribute ultimately calls IsInRole(string role)
on the underlying principal... and the IsInRole()
string overload instantiates an NTAccount
with the role
(the "SamAccountName" in an AD entry).
这说明在#1和#2以上的失败。
This explains the failure in #1 and #2 above.
要授权 HttpContext.User中
反对什么,但他/她的希德或SAM帐户,你需要 DirectoryServices.AccountManagement
或古典LDAP。
To authorize the HttpContext.User
against anything but his/her Sid or SamAccountName, you'll need DirectoryServices.AccountManagement
or classic LDAP.
这篇关于Active Directory组成员检查在.net 4.5的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!