窗体身份验证和Active Directory [英] Forms Authentication and Active Directory

问题描述

目前我使用窗体身份验证的几个项目，我能够让用户用他们的AD帐户登录。在路上我一直在做的，是很容易的。

Currently I have a few projects that use Forms Authentication and I'm able to have users log in with their AD Account. The way I have been doing it, is very easy.

web.config中

//first I set up the connection string to the active directory account
<connectionStrings>
    <add name="ADService" connectionString="LDAP://ourDomainController/OU=stores,DC=DOMAIN,DC=net" />
<ConnectionStrings>

//Then I add the membership provider for active directory
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
      <providers>
        <clear />
        <!--Membership provider for Active Directory-->
        <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,  System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName" />
      </providers>
</membership>

我不能登录使用Active Directory用户名和密码。但是，我不能拒绝访问该网站，以特定群体的特定部分。这种方式搜索整个活动目录，如果你是它的一部分，你能够登录。在一个应用程序中，我会插入用户到一个SQL表，然后授权用户访问的网站等，如果他们的一部分SQL表中。这种运作良好，但是，应用程序与许多用户增长迅速，我想借此在Active Directory中的优势群体。我花了几天的研究​​和实验，但我没有找到任何解决方案。许多人使用Windows身份验证，但在视觉上的吸引力，在这个阶段，很可能只是吓坏了最终用户在几个星期。 （在13个不同的商店的申请S $ P $垫）我也考虑过这问题的文章 ...并尝试这种解决方案在测试应用程序，但没有任何运气。不断收到一个错误说对象未设置为一个对象的实例中的自定义ADRoleProvider。

I'm not able to log in using the Active Directory Usernames and Passwords. However, I'm not able to deny access to certain parts of the website to specific groups. This way searches the entire active directory and if you are part of it, you're able to log in. In one application, I would insert users into an SQL table, then grant users access to the website and so on if they were part of the sql table. This works well, however, the application is growing rapidly with many users and I would like to take advantage of the groups within Active Directory. I have spent the past few days researching and experimenting but I'm not finding any solutions. Many have used Windows Authentication, but it is less visually appealing and at this stage, would probably just freak out the end-users for a few weeks. (The application spreads across 13 different stores) I have also looked into this article... and have tried this solution in a test application but didn't have any luck. Keep getting an error saying "Object reference not set to an instance of an object" in the custom ADRoleProvider.

var root = new DirectoryEntry(WebConfigurationManager.ConnectionStrings[ConnectionStringName].ConnectionString, ConnectionUsername, ConnectionPassword);

我只是想知道，如果任何人都知道的一种方式妥善做到这一点，或以不同的方式来做到这一点。任何的建议是有帮助的！谢谢！

I'm just wondering if anyone knows of a way to do this properly or a different way to do this. Any suggestion is helpful! Thanks!

推荐答案

我已经解决了这个问题。我用我在我的问题提供了由卡姆利什提供的链接的链接和。这个问题是我的.. GetRolesForUser。我曾与此code解决这个问题。

I have solved the issue. I used the link that I provided in my question and the link that was provided by Kamlesh. The issue was my.. GetRolesForUser. I had to fix this with this code..

public override string[] GetRolesForUser(string username)
    {
        List<string> allRoles = new List<string>();
        var ctx = new PrincipalContext(ContextType.Domain);
        UserPrincipal user = UserPrincipal.FindByIdentity(ctx, username);
        if (user != null)
        {
            var groups = user.GetGroups();
            allRoles.AddRange(groups.Select(x => x.Name));
        }

        return allRoles.ToArray();
    }

我不再获得一个NullReferenceException，这发现的作用，使用目前是。请确保您在使用Active Directory组为好。希望这样可以节省别人的某个时候。

I no longer get a NullReferenceException and this finds the roles that the use is currently in. Make sure that you are using Groups in the active directory as well. Hope this saves someone sometime.

这篇关于窗体身份验证和Active Directory的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！