映射User.Identity在.NET MVC应用程序到Active Directory用户 [英] Mapping User.Identity in .NET MVC app to active directory user
问题描述
我在写一个.NET MVC 5应用程序,它是在Intranet上,使用Windows身份验证,需要查询Active Directory,看看有什么组可用,然后检查,如果用户是在那个角色。
I'm writing a .NET MVC 5 app which is on an intranet, uses Windows Authentication and needs to query Active Directory to see what groups are available and then check if a user is in that role.
组和用户名称的来源将是活动目录。那么我需要使用.NET身份检查身份和会员资格。我不知道是什么字段映射到什么。
The source of group and user names will be active directory. I then need to check identity and membership using .NET Identity. I'm not sure what fields map to what.
在公元感兴趣的领域似乎是:
Fields of interest in AD seem to be:
- SAM帐户名:我觉得这是我从User.Identity获取用户名,但该文档说,这个属性是: 用于支持客户端和运行早期版本的操作系统,如Windows NT 4.0,Windows 95中,Windows 98和LAN Manager服务器的登录名。的
- CN:用户名的显示的版本
- 的objectGUID:作为一个用户或组,将不会改变的标识符。重要的,因为用户会改变他们的用户名,如果自己的姓氏变化。
- SamAccountName: I think this is the username that I get from User.Identity, but the docs say that this property is: The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.
- CN: A displayable version of the user's name
- objectGUID: An identifier for a user or group that won't change. Important as users will change their username if their surname changes.
所以,我觉得 SAM帐户== User.Identity.Name ,但该文档说SAM帐户名是早期的操作系统。这是否实际上意味着,这是德precated,我应该用别的东西?
So, I think SamAccountName == User.Identity.Name, but the docs say that SamAccountName is for earlier operating systems. Does this effectively mean this is deprecated and I should be using something else?
另外,是我断言关于CN和的objectGUID是否正确?
Also, are my assertions about CN and objectGUID correct?
推荐答案
第一步:设置参数来使用AD:
在web.config文件中的部分,设置如下:
In your the section of your web.config file, set the following:
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
现在,您将能够直接使用的方法从System.Web.Security命名空间。
Now, you will be able to directly use methods from the System.Web.Security namespace.
如果您想限制访问视图的组名群的广告的唯一的人成员:
您只需要像装点您的控制器操作:
You only have to decorate your controller action like that:
[Authorize(Roles = @"DOMAIN\groupName")]
Public ActionResult Index()
{...}
如果您想根据AD组的用户做处理:
使用方法,如在处理IsInRole(角色名):
Use methods such as "IsInRole(rolename)" in your treatments:
if (User.IsInRole("DOMAIN\\groupName"))
{
// Do what you want
}
编辑:执行有问题的:在这里,你要救影响到你的任务,当你创建任务组的sAMAccountName赋。然后,当用户想要标记的任务已完成,只检查:
implementation of the problematic: here you should save the sAMAccountName of the group affected to your task when you create the task. Then when a user wants to mark the task as complete, just check:
if (User.IsInRole("DOMAIN\\" + sAMAccountNameOfTheGroupDedicatedToYourTask))
{
// Mark as complete
}
这篇关于映射User.Identity在.NET MVC应用程序到Active Directory用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!