使用与Active Directory组作为角色的Windows身份验证 [英] using windows authentication with active directory groups as roles
问题描述
我读过关于这一主题的几个问题, 如<一个href="http://stackoverflow.com/questions/5833059/authenticate-user-using-active-directory-windows-authentication-in-ms-access-200">here, <一href="http://stackoverflow.com/questions/13398079/getting-user-roles-groups-from-active-directory-mvc3">here, 这里和<一href="http://stackoverflow.com/questions/209242/asp-net-role-based-authentication-using-security-groups-in-active-directory">here; 但都没有在我的情况下,提供了一个工作的解决方案。
I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.
我想做什么:
实现的web应用程序,仅由我们自己的员工Windows身份验证。这样,他们不应该需要登录到应用程序,但已经通过已经登录到Windows的方式进行身份验证。
Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.
另外,我需要限制应用程序的某些区域,基于Active Directory安全组,用户可能被分配到。
Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.
所以,我希望能够装点控制器/用行动
So I want to be able to decorate Controllers / Actions with
[Authorize(Roles="SomeRole")]
我已经试过:
我
<authentication mode="Windows" />
在我的web.config。而且我已经添加了几个排列一个&LT的; roleManager&GT; 在一些链接到上面的帖子中。目前,我有这个角色管理器
in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager
<roleManager defaultProvider="WindowsProvider"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
在<一个发现href="http://msdn.microsoft.com/en-us/library/system.web.security.windowstokenroleprovider.aspx">this帖子。
正因为如此,如果我装点着控制器[授权] ,我可以罚款访问它。
As it is, if I decorate a controller with [Authorize], I can access it fine.
但是:
我可以在我的用户设置在网络上看到的,我是一个被称为ITAD安全组的一部分。但是,如果我装点着相同的控制器 [授权(角色=IT)] 我得到的是由服务asp.net开发服务器401的空白屏幕未经授权。 这是出乎意料的。我认为我应该能够查看网页,因为我登录到Windows和我是集团的一部分IT。
I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".
大多数的一切,我发现关于这个主题让这听起来很容易做到我想要做的,但我清楚地失去了一些东西。
Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.
推荐答案
有关开发,我使用IISEx preSS 与MVC项目的开发服务器属性设置,使 匿名身份验证功能和Windows身份验证已启用。 web配置是用我们的TFS构建服务器来测试和发布服务器中的身份验证也设置如上,工作在这些地点,以及部署。
For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.
在我的web.config我有。
In my web.config I have.
<system.web>
....
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
....
</system.web>
我可以使用
[Authorize(Roles = @"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}
或
public ActionResult Index()
{
var User = System.Web.HttpContext.Current.User;
if (User.IsInRole("DOMAIN\\ADGroup"))
{
return RedirectToAction("IRSAdmin");
}
return View();
}
在我记得注销和,所以我是给被应用在AD组的权限登录。
After i remember to logoff and log back in so the permission i was given to the AD group were applied.
这篇关于使用与Active Directory组作为角色的Windows身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
