asp.net-mvc 使用活动目录组作为角色的 Windows 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13767439/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
using windows authentication with active directory groups as roles
提问by Forty-Two
I've read several questions on this topic, such as here, here, hereand here; but none have provided a working solution in my case.
我已经阅读了有关此主题的几个问题,例如此处、此处、此处和此处;但在我的情况下,没有一个提供有效的解决方案。
What I want to do:
我想做的事:
Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.
为仅由我们自己的员工使用的 Web 应用程序实施 Windows 身份验证。这样他们就不需要登录应用程序,但已经通过登录 Windows 进行了身份验证。
Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.
此外,我需要根据用户可能分配到的 Active Directory 安全组来限制应用程序的某些区域。
So I want to be able to decorate Controllers / Actions with
所以我希望能够用
[Authorize(Roles="SomeRole")]
What I've tried:
我试过的:
I have
我有
<authentication mode="Windows" />
in my web.config. And I have added several permutations of a <roleManager>as found in some of the posts linked to above. Currently I have this role manager
在我的 web.config 中。我<roleManager>在上面链接的一些帖子中添加了 a 的几个排列。目前我有这个角色经理
<roleManager defaultProvider="WindowsProvider"
enabled="true"
cacheRolesInCookie="false">
<providers>
<add
name="WindowsProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
as found in thispost.
正如在这篇文章中找到的那样。
As it is, if I decorate a controller with [Authorize], I can access it fine.
事实上,如果我用 装饰控制器[Authorize],我可以很好地访问它。
However:
然而:
I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")]I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected.I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".
我可以在网络上的用户设置中看到,我是名为“IT”的 AD 安全组的一部分。但是,如果我装饰同一个控制器,[Authorize(Roles="IT")]我会得到由 401 未经授权的 asp.net 开发服务器提供的空白屏幕。 这是出乎意料的。我认为我应该能够在我登录到 Windows 并且是“IT”组的一部分时查看该页面。
Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.
我在这个主题上找到的大部分内容都使完成我想要做的事情听起来很简单,但我显然在这里遗漏了一些东西。
回答by ozhug
For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.
对于开发人员,我将 IISExpress 与 MVC 项目的开发服务器属性一起使用,以便禁用匿名身份验证并启用 Windows 身份验证。使用我们的 TFS 构建服务器部署 Web 配置以测试和发布服务器,这些服务器的身份验证也按上述方式设置并在这些位置工作。
In my web.config I have.
在我的 web.config 我有。
<system.web>
....
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
....
</system.web>
I can use
我可以用
[Authorize(Roles = @"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}
or
或者
public ActionResult Index()
{
var User = System.Web.HttpContext.Current.User;
if (User.IsInRole("DOMAIN\ADGroup"))
{
return RedirectToAction("IRSAdmin");
}
return View();
}
After i remember to logoff and log back in so the permission i was given to the AD group were applied.
在我记得注销并重新登录后,我获得了 AD 组的权限。
