AspNetWindowsTokenRoleProvider 对于 ASP.NET 中的 Windows 身份验证无法正常工作
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/264278/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
AspNetWindowsTokenRoleProvider not working correctly for Windows Authentication in ASP.NET
提问by
I am developing an Intranet Application in ASP.NET that uses Windows Authentication. I have created an AD class that gets information from the Active Directory Domain Controller. This is what I use to get things like User Groups that the currently logged user is in. The problem is in the ASP.NET Roles that the user is in. Seems funny, but the list of AD Groups that the user is in is totally different from the list of Roles that the user has.
我正在 ASP.NET 中开发一个使用 Windows 身份验证的 Intranet 应用程序。我创建了一个从 Active Directory 域控制器获取信息的 AD 类。这是我用来获取当前登录用户所在的用户组之类的东西。问题在于用户所在的 ASP.NET 角色。看起来很有趣,但用户所在的 AD 组列表完全是不同于用户拥有的角色列表。
Here is what I get:
这是我得到的:
List of AD Groups for a certian user
certian 用户的 AD 组列表
- Developers
- Account Operators
- Domain Admins
- IS_IUSRS
- Administrators
- 开发商
- 帐户操作员
- 域管理员
- IS_IUSRS
- 管理员
List of the same user's Roles
同一用户的角色列表
- PUDDOM\Domain Users
- Everyone
- BUILTIN\Users
- BUILTIN\Administrators
- NT AUTHORITY\INTERACTIVE
- NT AUTHORITY\Authenticated Users
- NT AUTHORITY\This Organization
- LOCAL
- PUDDOM\Domain Admins
- PUDDOM\Denied RODC Password Replication Group
- PUDDOM\DnsAdmins
- PUDDOM\域用户
- 每个人
- 内置\用户
- 内置\管理员
- NT 权威\互动
- NT AUTHORITY\经过身份验证的用户
- NT AUTHORITY\本组织
- 当地的
- PUDDOM\域管理员
- PUDDOM\Denied RODC 密码复制组
- PUDDOM\DnsAdmins
OTHER INFORMATION:
其他信息:
- I have my website use Integrated Windows Authentication from IIS7.
- A portion of my
web.configlooks like
- 我的网站使用来自 IIS7 的集成 Windows 身份验证。
- 我的一部分
web.config看起来像
this:
这个:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true">
<providers>
<remove name="AspNetSqlRoleProvider" />
</providers>
</roleManager>
How do I reconcile the list?
我如何协调清单?
I need to make my Roles list reflect the same data as my AD Groups list because I will use Role trimming in my site map and other stuff.
我需要让我的角色列表反映与我的 AD 组列表相同的数据,因为我将在我的站点地图和其他内容中使用角色修剪。
回答by Stephen M. Redd
Part of your result is because some of the groups the user belongs to are members of other groups. The full list of a user's groups will include all groups the user belongs to, both directly and via membership in other groups who are also members.
您的部分结果是因为用户所属的某些组是其他组的成员。用户组的完整列表将包括该用户所属的所有组,包括直接或通过也是成员的其他组的成员身份。
The list will also include built-in groups that are normally hidden from the native admin tools by default.
该列表还将包括默认情况下通常对本机管理工具隐藏的内置组。
Your best bet is to have the application store a master list of the groups you want your application to see, or a list of groups you want your application to ignore (either an include list, or an exclude list). Then when you pull back a specific user's roles, just compare it to the configured exclude or include list and filter out the unwanted results.
最好的办法是让应用程序存储您希望应用程序查看的组的主列表,或者您希望应用程序忽略的组列表(包括列表或排除列表)。然后,当您撤回特定用户的角色时,只需将其与配置的排除或包含列表进行比较并过滤掉不需要的结果。
If you want an easier way, there is an open source AD role provider over at codeprojectthat already has support for both exclude and include lists. It also has other nice features like optional caching that will REALLY speed up your application. The build-in AD role provider performs very poorly.
如果您想要更简单的方法,codeproject上有一个开源AD 角色提供程序,它已经支持排除和包含列表。它还具有其他不错的功能,例如可选的缓存,可以真正加快您的应用程序的速度。内置 AD 角色提供程序的性能非常差。
回答by CPU_BUSY
You might need to assign the website permissions specifically to the groups you want to enumerate.
您可能需要专门为要枚举的组分配网站权限。
