Windows身份验证与Active Directory组 [英] Windows Authentication with Active Directory Groups

问题描述

我有一个小项目，使用Visual Studio 2013，.NET 4.5，MVC 5和EF 6构建.我使用Windows身份验证创建了该项目，但是现在我需要检查Active Directory组中的成员身份以允许或拒绝访问.

I have a small project, built using Visual Studio 2013, .NET 4.5, MVC 5, and EF 6. I created it using Windows authentication, but now I need to check for membership in an Active Directory group to allow or deny access.

我走了很多非常深的兔子洞，试图找出方法.最初，我认为我需要将项目更改为使用本地"身份验证.但是，我发现:

I've gone down many VERY deep rabbit holes, attempting to find out how to do this. At first I presumed that I would need to change the project to use "On-Premises" authentication. However, I have found that:

1. 在VS 2013中，显然没有一种方法可以更改项目使用的身份验证类型(除了手动编辑某些文件之外).
2. 尚无任何文档说明如何设置本地"身份验证. (真的吗?怎么可能?)
3. 无论如何，我根本不需要本地"身份验证，因为这仅适用于Windows Identity Federation服务(或类似的东西).我应该使用的只是带有ASP.Net角色的Windows身份验证，当我登录时Windows显然是从Active Directory组获得的.

因此，假设#3是正确的，我尝试阅读有关此内容的大量文章，但它们似乎分为两个基本组:

So, assuming that #3 is true, I tried reading numerous posts about this, but they seem to fall into two basic groups:

1. 简单，直接的方法，我无法使用，可能是因为它假定了一些我没有的知识.
2. 复杂的，自定义编码的方法，我怀疑这是通过代码完成的，而这可能可以通过无代码的方法完成.

假设要走#1的路，这是我最近的尝试.

Assuming that #1 is the way to go, here's my most recent attempt.

在我的控制器中，我有:

In my controller, I have:

[Authorize(Roles=@"SomeDomain\\SomeGroup")]
public class SomeController : Controller

在我的Web.config文件中，我有:

In my Web.config file, I have:

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetWindowsTokenRoleProvider"
             type="System.Web.Security.WindowsTokenRoleProvider"
             applicationName="/" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
          <serviceAuthorization
               principalPermissionMode="UseAspNetRoles"
               roleProviderName="AspNetWindowsTokenRoleProvider" />
          <serviceMetadata />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

当我尝试访问该页面时，系统会提示我登录.输入登录ID和密码后，我将继续收到登录提示.我不允许进入该页面.

When I try to access the page, I am instead prompted to login. After entering my login ID and password, I continue to receive the login prompt. I am not allowed to get to the page.

我什么都没有告诉我的应用程序Active Directory服务器在哪里，但是我得到的印象是Windows已经知道了(因为当我登录Windows时，它访问Active Directory服务器以对我进行身份验证)

I don't have anything anywhere telling my application where the Active Directory server is, but the impression I get is that Windows already knows that (since, when I login to Windows, it accesses the Active Directory server to authenticate me).

我错过了什么吗?或者我以为无需编写自定义代码就可以做到这一点是错误的吗?

Am I missing something? Or am I wrong in assuming that this can be done without writing custom code?

注意:我对.NET，MVC等还很陌生，因为它来自Java世界，所以请用一些小词. :-)

Caveat: I'm fairly new to .NET, MVC, etc, having come from the Java world, so please use small words. :-)

推荐答案

我发现了问题.我上面的内容是正确的，除了域名和角色名称之间有两个反斜杠，而不是两个.该修复程序只是将其更改为此:

I found the problem. What I had above was correct, except I had TWO backslashes between the domain name and the role name, rather than one. The fix was just changing it to this:

[Authorize(Roles=@"SomeDomain\SomeGroup")]

这篇关于Windows身份验证与Active Directory组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！