In this ASP.NET MVC 3 intranet application (created using MVC 3 Intranet Application template), where users are authenticated automatically against AD, I'm trying to restrict access to a controller to users in the local Administrators group. In order to achieve this, I've tried to apply AuthorizeAttribute like so:
在这个ASP.NET MVC 3内部网应用程序(使用MVC 3 Intranet应用程序模板创建)中,用户根据AD自动进行身份验证,我正在尝试将对控制器的访问限制为本地Administrators组中的用户。为了实现这一点,我试图像这样应用AuthorizeAttribute:
[Authorize(Roles = "Administrators")]
public class ElmahController : Controller
However, even though my AD user (the application reports the expected user has been authenticated) is in the local Administrators group, I cannot gain access to the controller when AuthorizeAttribute is applied. Only a blank page comes up. What am I doing wrong?
但是,即使我的AD用户(应用程序报告预期用户已经过身份验证)位于本地Administrators组中,但在应用AuthorizeAttribute时,我无法访问控制器。只出现一个空白页面。我究竟做错了什么?
On the other hand, I've verified that specifying my particular user works:
另一方面,我已经验证了指定我的特定用户的工作原理:
[Authorize(Users = @"ad\arve")]
public class ElmahController : Controller
In this case, I can retrieve the restricted page successfully.
在这种情况下,我可以成功检索受限页面。
EDIT: I found that qualifying the group with BUILTIN worked:
编辑:我发现使用BUILTIN对团队进行资格认证的工作:
[Authorize(Roles = @"BUILTIN\Administrators")]
Is this the definitive way of referring to local groups via AuthorizeAttribute though??
这是通过AuthorizeAttribute引用本地组的权威方式吗?
2 个解决方案
#1
6
Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles
按照我的教程如何使用ASP.NET MVC创建Intranet站点您需要使用内置的AspNetWindowsTokenRoleProvider类,该类使用Windows组作为角色
[Authorize(Roles = @"BUILTIN\Administrators")]
Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.
仅在您是IIS服务器上的管理员时才有效。如果将应用程序部署到公司的生产服务器,则需要在生产服务器上成为本地管理员。
#2
0
You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.
您可以将自定义AD授权属性放置在每个操作或控制器上方。我以前做过这个,做了一些非常类似于下面链接的事情。如果您使用表单身份验证而不是Windows,则此方法有效。
Active Directory Authorization based on Groups
基于组的Active Directory授权
#1
6
Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles
按照我的教程如何使用ASP.NET MVC创建Intranet站点您需要使用内置的AspNetWindowsTokenRoleProvider类,该类使用Windows组作为角色
[Authorize(Roles = @"BUILTIN\Administrators")]
Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.
仅在您是IIS服务器上的管理员时才有效。如果将应用程序部署到公司的生产服务器,则需要在生产服务器上成为本地管理员。
#2
0
You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.
您可以将自定义AD授权属性放置在每个操作或控制器上方。我以前做过这个,做了一些非常类似于下面链接的事情。如果您使用表单身份验证而不是Windows,则此方法有效。
Active Directory Authorization based on Groups
基于组的Active Directory授权