Active Directory组成员检查在.net 4.5 [英] Active Directory Group Membership Checking in .Net 4.5

问题描述

我使用Windows身份验证的ASP.Net MVC应用程序，我检查组成员对安全的控制措施。

I have an ASP.Net MVC application using Windows Authentication, and I am checking group membership for security on controller actions.

简单，因为它的声音，我发现能解决我遇到的问题，没有其他问题。

Simple as it sounds, I've found no other Question that can resolve the problem I am experiencing.

经典的方法是简单地拍上的控制器操作的授权数据标注属性，去镇：

The classic method is to simply slap an Authorize data annotation attribute on the controller action and go to town:

[Authorize(Roles = @"domain\groupName1")]

没有骰子。提示我输入凭据。通常，这意味着什么是错的Windows身份验证配置，但它的设置罚款：（1） HttpContext.User中是的WindowsPrincipal 对象，和（2）本人确认另一种已知的组名的工作原理。

No dice. I am prompted for credentials. Usually this means something is wrong with the Windows Authentication configuration but it's setup fine: (1) HttpContext.User is a WindowsPrincipal object, and (2) I confirmed another known group name works.

采取的下一个步骤是去一个更老式的航线，并使用 IPrincipal.IsInRole（），又一遍，返回假，其他真。

The next step taken was to go a more old fashioned route and use IPrincipal.IsInRole(), and again, one returns false, the other true.

var wp = (WindowsPrincipal)User;

// false
var inGroup1 = wp.IsInRole(@"domain\groupName1");
// true
var inGroup2 = wp.IsInRole(@"domain\groupName2");

难倒...所以我打了我的系统，书呆子，我们仔细检查了一切。用户是一个组的成员？是。集团名称拼写是否正确？是。下一步骤是将抽丝的SID。

Stumped... so I hit up my systems nerds and we double check everything. User is a group member? Yes. Group name is spelled correctly? Yes. The next step was to snag the SID.

在我的控制器我检查的WindowsIdentity ，并期待通过集团回收的麻烦组的SID：

In my controller I check the WindowsIdentity and look through the group collection for the SID of the troublesome group:

var wi = (WindowsIdentity)wp.Identity;
var group = wi.Groups.SingleOrDefault(g => g.Value == "group1-sidValue");

在组变量是的SecurityIdentifier 对象。因为它不为空，我们可以肯定，这个当前用户是该组的成员，无论是 [授权（）] 或 IsInRole（ ）尝试失败确认。

The group variable is the SecurityIdentifier object. Because it is not null, we can be certain that this current user is a member of the group that both the [Authorize()] or IsInRole() attempts fail to confirm.

在这一点上，我要疯了，并添加引用AccountManagement的API。我搜索域上下文 GroupPrincipal 按名称和SID：

At this point, I'm going nuts and add reference to the AccountManagement APIs. I search the domain context for the GroupPrincipal by both name and SID:

变种PC =新PrincipalContext（ContextType.Domain，域）;    VAR gp1byName = GroupPrincipal.FindByIdentity（PC，groupName1）    VAR gp1bySid = GroupPrincipal.FindByIdentity（PC，IdentityType.Sid，组1 - sidValue）;

var pc = new PrincipalContext(ContextType.Domain, "domain"); var gp1byName = GroupPrincipal.FindByIdentity(pc, "groupName1") var gp1bySid = GroupPrincipal.FindByIdentity(pc, IdentityType.Sid, "group1-sidValue");

这两个组的主要变量是成熟与同一个对象，我通过观察变量验证主体的成员集都包含一个 UserPrincipal 上相同的SID为当前的WindowsPrincipal 的HttpContext 对象。

Both group principal variables are ripe with the same object, and I verified through a watch variable that the principal's Members collection contains a UserPrincipal object with the same SID as the current WindowsPrincipal on HttpContext.

在什么该死的我错过这里？为什么这两个角色检查方法不能当它是普通的和明确的，通过物体探测用户是该给定组的有效成员？

What in the hell have I missed here? Why would both role checking methodologies fail when it is plain and clear through object exploration that the user is a valid member of this given group?

事实上，一组检查罚款和其他不似乎是最奇怪的一部分，在这一点上。

The fact that one group checks fine and the other does not seems the most strange part at this point.

请帮忙。

推荐答案

从本质上讲这是翻译问题的的WindowsIdentity 和 NTACCOUNT （这两个System.Security.Principal），最后，实际的Active Directory条目。

Answer:

Essentially it's translation issues between WindowsIdentity and NTAccount (both of these System.Security.Principal) and lastly, the actual Active Directory entry.

在验证一个的WindowsIdentity 对广告，如果你想用什么比山姆或希德等，您将需要使用系统。 DirectoryServices.AccountManagement 。

When validating a WindowsIdentity against AD, if you want to use anything other than the Sam or the Sid, you will need to use System.DirectoryServices.AccountManagement.

警告：在.NET中4.5的安全主体包括索赔，但是这是断章取义的

在Windows身份验证的Web应用程序， HttpContext.User中是的WindowsPrincipal 对象包装一个基本的的WindowsIdentity 。

In a Windows Authenticated web application, HttpContext.User is a WindowsPrincipal object wrapping an underlying WindowsIdentity.

的WindowsIdentity 为大多数的意图和目的只有两个属性与身份验证的用户可以识别：名称和用户。

WindowsIdentity has for most intents and purposes only two properties with which the authenticated user can be identified: Name and User.

这些特性转化为对身份的相应的AD帐户条目两个属性：

These properties translate to two properties on the identity's corresponding AD account entry:

WindowsIdentity.Name = SAM帐户

WindowsIdentity.User = SID

在 [授权] 过滤属性最终调用 IsInRole（字符串角色）标的本金...和在 IsInRole（）字符串超负荷实例化一个 NTACCOUNT 与作用（以下简称SAM帐户在AD输入）。

The [Authorize] filter attribute ultimately calls IsInRole(string role) on the underlying principal... and the IsInRole() string overload instantiates an NTAccount with the role (the "SamAccountName" in an AD entry).

这说明在＃1和＃2以上的失败。

This explains the failure in #1 and #2 above.

要授权 HttpContext.User中反对什么，但他/她的希德或SAM帐户，你需要 DirectoryServices.AccountManagement 或古典LDAP。

To authorize the HttpContext.User against anything but his/her Sid or SamAccountName, you'll need DirectoryServices.AccountManagement or classic LDAP.

这篇关于Active Directory组成员检查在.net 4.5的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！