如何使用 Windows Active Directory 身份验证和基于身份的声明? [英] How to use Windows Active Directory Authentication and Identity Based Claims?

问题描述

我们希望使用 Windows Active Directory 来验证用户进入应用程序的身份.但是，我们不想使用 Active Directory 组来管理控制器/视图的授权.

We want to use Windows Active Directory to authenticate a user into the application. However, we do not want to use Active Directory groups to manage authorization of controllers/views.

据我所知，将 AD 和基于身份的声明结合起来并不容易.

As far as I know, there is not an easy way to marry AD and identity based claims.

• 使用本地 Active Directory 对用户进行身份验证
• 使用身份框架来管理声明

• Windows.Owin.Security.ActiveDirectory - Doh.这适用于 Azure AD.不支持 LDAP.他们可以将其称为 AzureActiveDirectory 吗?
• Windows 身份验证 - 这适用于 NTLM 或 Keberos 身份验证.问题开始于:i) 令牌和声明都由 AD 管理，我无法弄清楚如何使用身份声明.
• LDAP - 但这些似乎迫使我手动进行表单身份验证以使用身份声明?当然必须有更简单的方法吗?

任何帮助将不胜感激.我已经被这个问题困扰了很长时间，希望得到外界对此事的投入.

Any help would be more than appreciated. I have been stuck on this problem quite a long time and would appreciate outside input on the matter.

推荐答案

你上面的解决方案把我推向了一个对我有用的方向 MVC6-Beta3 Identityframework7-Beta3 EntityFramework7-Beta3:

Shoe your solution above pushed me toward a direction that worked for me on MVC6-Beta3 Identityframework7-Beta3 EntityFramework7-Beta3:

// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }

    //
    // Check for user existance in Identity Framework
    //
    ApplicationUser applicationUser = await _userManager.FindByNameAsync(model.eID);
    if (applicationUser == null)
    {
        ModelState.AddModelError("", "Invalid username");
        return View(model);
    }

    //
    // Authenticate user credentials against Active Directory
    //
    bool isAuthenticated = await Authentication.ValidateCredentialsAsync(
        _applicationSettings.Options.DomainController, 
        _applicationSettings.Options.DomainControllerSslPort, 
        model.eID, model.Password);
    if (isAuthenticated == false)
    {
        ModelState.AddModelError("", "Invalid username or password.");
        return View(model);
    }

    //
    // Signing the user step 1.
    //
    IdentityResult identityResult 
        = await _userManager.CreateAsync(
            applicationUser, 
            cancellationToken: Context.RequestAborted);

    if(identityResult != IdentityResult.Success)
    {
        foreach (IdentityError error in identityResult.Errors)
        {
            ModelState.AddModelError("", error.Description);
        }
        return View(model);
    }

    //
    // Signing the user step 2.
    //
    await _signInManager.SignInAsync(applicationUser,
        isPersistent: false,
        authenticationMethod:null,
        cancellationToken: Context.RequestAborted);

    return RedirectToLocal(returnUrl);
}

这篇关于如何使用 Windows Active Directory 身份验证和基于身份的声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！