使用活动目录组作为角色的 Windows 身份验证 [英] using windows authentication with active directory groups as roles
问题描述
我已经阅读了几个关于这个主题的问题,例如此处、
I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.
我想做什么:
为仅供我们自己员工使用的网络应用实施 Windows 身份验证.这样他们就不需要登录应用程序,但已经通过登录 Windows 的方式进行了身份验证.
Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.
此外,我需要根据用户可能被分配到的 Active Directory 安全组来限制应用的某些区域.
Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.
所以我希望能够用
[Authorize(Roles="SomeRole")]
我尝试过的:
我有
<authentication mode="Windows" />
在我的 web.config 中.我已经添加了 <roleManager> 的几个排列,如上面链接的一些帖子中所示.目前我有这个角色经理
in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager
<roleManager defaultProvider="WindowsProvider"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
如这篇 帖子中所示.
事实上,如果我用 [Authorize] 装饰一个控制器,我可以很好地访问它.
As it is, if I decorate a controller with [Authorize], I can access it fine.
但是:
我可以在网络上的用户设置中看到,我是名为IT"的 AD 安全组的一部分.但是,如果我用 [Authorize(Roles="IT")] 装饰同一个控制器,我会得到一个空白屏幕,该屏幕由 asp.net 开发服务器提供,用于未经授权的 401.这出乎意料.我认为我应该能够在我登录到 Windows 并且是IT"组的一部分时查看该页面.
I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".
我在这个主题上发现的大部分内容都使我想要完成的事情听起来很简单,但我显然在这里遗漏了一些东西.
Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.
推荐答案
对于开发人员,我正在使用 IISExpress设置 MVC 项目的开发服务器属性,以便匿名身份验证已禁用,Windows 身份验证已启用.Web 配置使用我们的 TFS 构建服务器进行部署,以测试和发布服务器,这些服务器的身份验证也如上所述设置并在这些位置工作.
For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.
在我的 web.config 中.
In my web.config I have.
<system.web>
....
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
....
</system.web>
我可以使用
[Authorize(Roles = @"DOMAINADGroup")]
Public ActionResult Index()
{...}
或
public ActionResult Index()
{
var User = System.Web.HttpContext.Current.User;
if (User.IsInRole("DOMAIN\ADGroup"))
{
return RedirectToAction("IRSAdmin");
}
return View();
}
在我记得注销并重新登录后,我获得了 AD 组的权限.
After i remember to logoff and log back in so the permission i was given to the AD group were applied.
这篇关于使用活动目录组作为角色的 Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
