ASP.NET 中的 ActiveDirectory 当前用户名 [英] ActiveDirectory Current Username in ASP.NET
问题描述
我正在尝试让 ActiveDirectory 和标准表单登录都能正常工作,但有一件事阻止了我.我无法获取当前 Windows 用户的名称.我得到的最接近的是 var i = WindowsIdentity.GetCurrent();,但这给了我 IIS 应用程序池用户的名称.我在 IIS 中启用了匿名身份验证、表单身份验证和 Windows 身份验证.我可以从 AD 加载用户,所以我假设我的 web.config 设置正确.
I'm trying to get both ActiveDirectory and standard forms login working but one thing is stopping me. I can't get the name of the current windows user. The closest I've got is var i = WindowsIdentity.GetCurrent();, but that gives me the name of the IIS app pool user. I have Anonymous Authentication, Forms Authentication and Windows Authentication enabled in IIS. I can load users from AD so I assume my web.config is setup correctly.
编辑:这是我的 web.config(使用 Facade 提供程序):
Edit: This is my web.config (using a Facade provider):
<membership defaultProvider="HybridMembershipProvider">
<providers>
<clear />
<add name="HybridMembershipProvider" type="MyApp.Data.HybridMembershipProvider" AspNetProviderName="AspNetSqlMembershipProvider" ActiveDirectoryProviderName="ADMembershipProvider" />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="MyAppConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName" enableSearchMethods="true" attributeMapEmail="mail"/>
</providers>
</membership>
编辑 2:这是我的 IIS 安全设置.
Edit 2: Here's my IIS security setup.
推荐答案
如果您在 IIS 中打开 ASP.Net Impersonation,您可以获得您想要的用户名.仅当该数据位于表单成员资格提供商/AD 中且它们不是匿名的时,这才有效.
If you turn on ASP.Net Impersonation in IIS, you can get the username like you wanted to. This will only work if that data is in the forms membership provider / AD, and they are not Anonymous.
此外,混合基于表单和基于 Windows/AD 的身份验证是可行的,但不推荐.如果需要,请参阅此.
Also, mixing Forms based and Windows/AD based auth is doable but not recommended. See this if you need to do it.
编辑:我想我误解了您想要的内容,因此这里对上述解决方案的情况进行了高层次的掩饰:
EDIT: I think I misunderstood what you wanted so here's a high-level glossing over of what goes on with the aforementioned solution:
如果您关闭匿名身份验证并打开 Asp.Net Impersonation,IIS 将在有人访问该站点时执行 401 质询.
如果所有内容都在同一个域中,Web 浏览器会将您的凭据发送到 IIS,IIS 将根据它的 Active Directory 验证它们,然后 AD 将为 IIS 提供一个身份以供使用.
If you turn off Anonymous Authentication, and turn on Asp.Net Impersonation, IIS will do a 401 Challenge whenever somebody visits the site.
If everything is on the same domain, the web browser will send your credentials to IIS, IIS will validate them against it's Active Directory, and then AD will give IIS an Identity to work with.
当您打开 Asp.Net Impersonation 时,IIS 会将该标识绑定到当前线程/请求.因此,在身份验证发生后,您可以从当前线程标识中获取用户名,然后像这样查询 Active Directory:
When you have Asp.Net Impersonation turned on, IIS will then bind that Identity to the current thread/request. So after authentication happens, you can just grab the username from the current thread identity, and then query Active Directory like:
using System.Threading;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
......
PrincipalContext pc = null;
UserPrincipal principal = null;
try
{
var username = Thread.CurrentPrincipal.Identity.Name;
pc = new PrincipalContext(ContextType.Domain, "active.directory.domain.com");
principal = UserPrincipal.FindByIdentity(pc, username);
var firstName = principal.GivenName ?? string.Empty
var lastName = principal.Surname ?? string.Empty
return string.Format("Hello {0} {1}!", firstName, lastName);
}
catch ...
finally
{
if (principal != null) principal.Dispose();
if (pc != null) pc.Dispose();
}
这篇关于ASP.NET 中的 ActiveDirectory 当前用户名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
