使用活动目录组作为角色的windows身份验证

时间:2021-12-06 03:01:48

I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.

我读过几个关于这个话题的问题,比如这里,这里,这里和这里;但在我的案例中,没有人提供有效的解决方案。

What I want to do:

我想做的是:

Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.

为只供我们自己的员工使用的web应用程序实现Windows身份验证。这样他们就不需要登录应用程序,但已经通过登录到windows的方式进行了身份验证。

Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.

此外,我需要根据用户可能被分配到的活动目录安全组来限制应用程序的某些区域。

So I want to be able to decorate Controllers / Actions with

所以我想用它来装饰控制器和动作

[Authorize(Roles="SomeRole")]

What I've tried:

我试着什么:

I have

我有

<authentication mode="Windows" />

in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager

在我的web . config。我还添加了几个 的排列,如上面链接的一些文章所示。目前我有这个角色经理

<roleManager defaultProvider="WindowsProvider"
  enabled="true"
  cacheRolesInCookie="false">
      <providers>
        <add
          name="WindowsProvider"
          type="System.Web.Security.WindowsTokenRoleProvider" />
      </providers>
    </roleManager>

as found in this post.

如本文所见。

As it is, if I decorate a controller with [Authorize], I can access it fine.

事实上,如果我用[授权]来装饰控制器,我可以很好地访问它。

However:

然而:

I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".

我可以在网络上的用户设置中看到,我是一个名为“IT”的广告安全组的成员。但是如果我用[Authorize(role ="IT")修饰同一个控制器,就会得到由asp.net开发服务器为未授权401提供的空白屏幕。这是意想不到的。我认为我应该能够在登录到windows并成为“IT”组的一部分时查看页面。

Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.

我在这个话题上找到的大多数东西都让我觉得完成我想要做的事情听起来很简单,但是我显然在这里漏掉了一些东西。

1 个解决方案

#1


34  

For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.

对于dev,我使用的是IISExpress,并设置了MVC项目的开发服务器属性,以便禁用匿名身份验证和启用Windows身份验证。web配置是使用TFS构建服务器部署的,用于测试和发布服务器,验证也如上面所示设置在这些位置中。

In my web.config I have.

在我的网站。配置。

  <system.web> 
....
       <authentication mode="Windows" />
        <authorization>
          <deny users="?" />
        </authorization>
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
          <providers>
            <clear />
            <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
          </providers>
        </roleManager>
....

    </system.web>

I can use

我可以使用

[Authorize(Roles = @"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}

or

 public ActionResult Index()
        {
            var User = System.Web.HttpContext.Current.User;
            if (User.IsInRole("DOMAIN\\ADGroup"))
            {
                return RedirectToAction("IRSAdmin");
            }
            return View();
        }

After i remember to logoff and log back in so the permission i was given to the AD group were applied.

在我记得注销和登录后,我被允许进入广告组。

#1


34  

For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.

对于dev,我使用的是IISExpress,并设置了MVC项目的开发服务器属性,以便禁用匿名身份验证和启用Windows身份验证。web配置是使用TFS构建服务器部署的,用于测试和发布服务器,验证也如上面所示设置在这些位置中。

In my web.config I have.

在我的网站。配置。

  <system.web> 
....
       <authentication mode="Windows" />
        <authorization>
          <deny users="?" />
        </authorization>
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
          <providers>
            <clear />
            <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
          </providers>
        </roleManager>
....

    </system.web>

I can use

我可以使用

[Authorize(Roles = @"DOMAIN\ADGroup")]
Public ActionResult Index()
{...}

or

 public ActionResult Index()
        {
            var User = System.Web.HttpContext.Current.User;
            if (User.IsInRole("DOMAIN\\ADGroup"))
            {
                return RedirectToAction("IRSAdmin");
            }
            return View();
        }

After i remember to logoff and log back in so the permission i was given to the AD group were applied.

在我记得注销和登录后,我被允许进入广告组。