如何使AuthorizeAttribute与ASP.NET MVC 3 Intranet应用程序中的本地Administrators组一起使用?

时间:2021-08-26 06:02:21

In this ASP.NET MVC 3 intranet application (created using MVC 3 Intranet Application template), where users are authenticated automatically against AD, I'm trying to restrict access to a controller to users in the local Administrators group. In order to achieve this, I've tried to apply AuthorizeAttribute like so:

在这个ASP.NET MVC 3内部网应用程序(使用MVC 3 Intranet应用程序模板创建)中,用户根据AD自动进行身份验证,我正在尝试将对控制器的访问限制为本地Administrators组中的用户。为了实现这一点,我试图像这样应用AuthorizeAttribute:

[Authorize(Roles = "Administrators")]
public class ElmahController : Controller

However, even though my AD user (the application reports the expected user has been authenticated) is in the local Administrators group, I cannot gain access to the controller when AuthorizeAttribute is applied. Only a blank page comes up. What am I doing wrong?

但是,即使我的AD用户(应用程序报告预期用户已经过身份验证)位于本地Administrators组中,但在应用AuthorizeAttribute时,我无法访问控制器。只出现一个空白页面。我究竟做错了什么?

On the other hand, I've verified that specifying my particular user works:

另一方面,我已经验证了指定我的特定用户的工作原理:

[Authorize(Users = @"ad\arve")]
public class ElmahController : Controller

In this case, I can retrieve the restricted page successfully.

在这种情况下,我可以成功检索受限页面。

EDIT: I found that qualifying the group with BUILTIN worked:

编辑:我发现使用BUILTIN对团队进行资格认证的工作:

[Authorize(Roles = @"BUILTIN\Administrators")]

Is this the definitive way of referring to local groups via AuthorizeAttribute though??

这是通过AuthorizeAttribute引用本地组的权威方式吗?

2 个解决方案

#1


6  

Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles

按照我的教程如何使用ASP.NET MVC创建Intranet站点您需要使用内置的AspNetWindowsTokenRoleProvider类,该类使用Windows组作为角色

[Authorize(Roles = @"BUILTIN\Administrators")]

Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.

仅在您是IIS服务器上的管理员时才有效。如果将应用程序部署到公司的生产服务器,则需要在生产服务器上成为本地管理员。

#2


0  

You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.

您可以将自定义AD授权属性放置在每个操作或控制器上方。我以前做过这个,做了一些非常类似于下面链接的事情。如果您使用表单身份验证而不是Windows,则此方法有效。

Active Directory Authorization based on Groups

基于组的Active Directory授权

#1


6  

Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles

按照我的教程如何使用ASP.NET MVC创建Intranet站点您需要使用内置的AspNetWindowsTokenRoleProvider类,该类使用Windows组作为角色

[Authorize(Roles = @"BUILTIN\Administrators")]

Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.

仅在您是IIS服务器上的管理员时才有效。如果将应用程序部署到公司的生产服务器,则需要在生产服务器上成为本地管理员。

#2


0  

You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.

您可以将自定义AD授权属性放置在每个操作或控制器上方。我以前做过这个,做了一些非常类似于下面链接的事情。如果您使用表单身份验证而不是Windows,则此方法有效。

Active Directory Authorization based on Groups

基于组的Active Directory授权