映射User.Identity在.NET MVC应用程序到Active Directory用户 [英] Mapping User.Identity in .NET MVC app to active directory user

问题描述

我在写一个.NET MVC 5应用程序，它是在Intranet上，使用Windows身份验证，需要查询Active Directory，看看有什么组可用，然后检查，如果用户是在那个角色。

I'm writing a .NET MVC 5 app which is on an intranet, uses Windows Authentication and needs to query Active Directory to see what groups are available and then check if a user is in that role.

组和用户名称的来源将是活动目录。那么我需要使用.NET身份检查身份和会员资格。我不知道是什么字段映射到什么。

The source of group and user names will be active directory. I then need to check identity and membership using .NET Identity. I'm not sure what fields map to what.

在公元感兴趣的领域似乎是：

Fields of interest in AD seem to be:

• SAM帐户名：我觉得这是我从User.Identity获取用户名，但该文档说，这个属性是： 用于支持客户端和运行早期版本的操作系统，如Windows NT 4.0，Windows 95中，Windows 98和LAN Manager服务器的登录名。的
• CN：用户名的显示的版本
• 的objectGUID：作为一个用户或组，将不会改变的标识符。重要的，因为用户会改变他们的用户名，如果自己的姓氏变化。

• SamAccountName: I think this is the username that I get from User.Identity, but the docs say that this property is: The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager.
• CN: A displayable version of the user's name
• objectGUID: An identifier for a user or group that won't change. Important as users will change their username if their surname changes.

所以，我觉得 SAM帐户== User.Identity.Name ，但该文档说SAM帐户名是早期的操作系统。这是否实际上意味着，这是德precated，我应该用别的东西？

So, I think SamAccountName == User.Identity.Name, but the docs say that SamAccountName is for earlier operating systems. Does this effectively mean this is deprecated and I should be using something else?

另外，是我断言关于CN和的objectGUID是否正确？

Also, are my assertions about CN and objectGUID correct?

推荐答案

第一步：设置参数来使用AD：

在web.config文件中的部分，设置如下：

In your the section of your web.config file, set the following:

<authentication mode="Windows" />

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
   <providers>
      <clear />
      <add 
          name="AspNetWindowsTokenRoleProvider"
          type="System.Web.Security.WindowsTokenRoleProvider" 
          applicationName="/" />
   </providers>
</roleManager>

现在，您将能够直接使用的方法从System.Web.Security命名空间。

Now, you will be able to directly use methods from the System.Web.Security namespace.

如果您想限制访问视图的组名群的广告的唯一的人成员：

您只需要像装点您的控制器操作：

You only have to decorate your controller action like that:

[Authorize(Roles = @"DOMAIN\groupName")]
Public ActionResult Index()
{...}

如果您想根据AD组的用户做处理：

使用方法，如在处理IsInRole（角色名）：

Use methods such as "IsInRole(rolename)" in your treatments:

if (User.IsInRole("DOMAIN\\groupName"))
{
     // Do what you want
}

编辑：执行有问题的：在这里，你要救影响到你的任务，当你创建任务组的sAMAccountName赋。然后，当用户想要标记的任务已完成，只检查：

implementation of the problematic: here you should save the sAMAccountName of the group affected to your task when you create the task. Then when a user wants to mark the task as complete, just check:

if (User.IsInRole("DOMAIN\\" + sAMAccountNameOfTheGroupDedicatedToYourTask))
{
     // Mark as complete
}

这篇关于映射User.Identity在.NET MVC应用程序到Active Directory用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！