User.IsInRole("假组")结果为QUOT;主域和信任域之间的信任关系失败" [英] User.IsInRole("fake group") results in "The trust relationship between the primary domain and the trusted domain failed"
问题描述
我有一个MVC 3应用程序,使用Windows身份验证使用WIF 4.5索赔。
访问应用程序中的AD组控制(目前)通过会员:
<?拒绝用户= />
<允许角色=域\ somegroup/>
<拒绝用户=*/>
在除了AD组中,我们有需要添加自定义角色。 (这个应用程序是从形式转换为Windows身份验证)
要支持这些自定义角色(直到公元进行管理),我们将其添加为ClaimTypes.GroupSid声称用户,所以现存的code利用 [授权(ADMIN )] 和 User.IsInRole(管理)继续发挥作用:
Application_PostAuthenticateRequest(对象发件人,EventArgs的)
{
VAR身份= ClaimsPrincipal.Current.Identity为的WindowsIdentity;
VAR角色= userDAL.GetRoles(identity.Name);
的foreach(在角色VAR的作用)
{
identity.AddClaim(新索赔(ClaimTypes.GroupSid,角色));
}
}
这是因为预计所有工作。
除了当当前用户不是一些自定义的角色(如管理员)成员的的和作用也没有在AD存在的
我们用 [授权(管理)] 在控制器动作方法,以及的各种实例User.IsInRole(ADMIN )根据在方案中。它在那些情况下出现错误,并且应用程序炸毁。
该广告的基础设施是在升级/迁移的过程中。我无法得知所有的细节,但我不知道有几个域,理应与他们之间的信任,以及它已经暗示给我的基础设施乡亲,这些信任关系是启动和运行。
因此,其实我想我不知道两件事情:
-
这似乎真的不喜欢的事,我们的code应该要处理。那么,真的是错误的域名?我可以找出受信任域的信任关系是失败的呢?
-
什么是解决这一问题的最佳方法是什么?我不喜欢写作的辅助方法和放大器的理念;
授权()子刚捕获该异常。
请去INETMGR,网站,默认的Web站点,站点名称,IIS组,双击身份验证,禁用匿名身份验证,然后重新设置应用程序池。
I have an MVC 3 app, using Windows Authentication with Claims using WIF 4.5.
Access to the application is controlled (currently) via membership in an AD group:
<deny users="?" />
<allow roles="domain\somegroup" />
<deny users="*" />
In addition to the AD groups, we have custom roles that need to be added. (This app is being converted from Forms to Windows authentication)
To support these custom roles (until they are managed in AD), we are adding them as ClaimTypes.GroupSid claims to the user, so that existing code utilizing [Authorize("ADMIN")] and User.IsInRole("ADMIN") continues to function:
Application_PostAuthenticateRequest(object sender, EventArgs e)
{
var identity = ClaimsPrincipal.Current.Identity as WindowsIdentity;
var roles = userDAL.GetRoles(identity.Name);
foreach(var role in roles)
{
identity.AddClaim(new Claim(ClaimTypes.GroupSid, role));
}
}
And this is all working as expected.
Except when the current user is NOT a member of some custom role (like ADMIN) and that role also doesn't exist in AD
We use [Authorize("ADMIN")] on Controller Action Methods, as well as various instances of User.IsInRole("ADMIN") depending in the scenario. It's in those instances where the error occurs and the app blows up.
The AD infrastructure is in the midst of an upgrade/migration. I'm not privy to all the details there, but I do know there are a handful of domains, supposedly with trust between them, and it's been alluded to me by the infrastructure folks that these trust relationships are up and running.
So really I guess I'm wondering 2 things:
This really doesn't seem like something our code should have to handle. So what could really be wrong with the domain? Can I find out what 'trusted' domain the trust relationship is failing for?
What is the best way to work around this? I dislike the idea of writing helper methods &
Authorize()subclasses just to trap this exception.
Please go to inetmgr, sites, default web site, site name, iis group, double-click authentication, disable anonymous authentication, then reset the app pool.
这篇关于User.IsInRole(&QUOT;假组&QUOT;)结果为QUOT;主域和信任域之间的信任关系失败&QUOT;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
