Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
705 views
in Technique[技术] by (71.8m points)

asp.net mvc - using windows authentication with active directory groups as roles

I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.

What I want to do:

Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.

Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.

So I want to be able to decorate Controllers / Actions with

[Authorize(Roles="SomeRole")]

What I've tried:

I have

<authentication mode="Windows" />

in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager

<roleManager defaultProvider="WindowsProvider"
  enabled="true"
  cacheRolesInCookie="false">
      <providers>
        <add
          name="WindowsProvider"
          type="System.Web.Security.WindowsTokenRoleProvider" />
      </providers>
    </roleManager>

as found in this post.

As it is, if I decorate a controller with [Authorize], I can access it fine.

However:

I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".

Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.

In my web.config I have.

  <system.web> 
....
       <authentication mode="Windows" />
        <authorization>
          <deny users="?" />
        </authorization>
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
          <providers>
            <clear />
            <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
          </providers>
        </roleManager>
....

    </system.web>

I can use

[Authorize(Roles = @"DOMAINADGroup")]
Public ActionResult Index()
{...}

or

 public ActionResult Index()
        {
            var User = System.Web.HttpContext.Current.User;
            if (User.IsInRole("DOMAIN\ADGroup"))
            {
                return RedirectToAction("IRSAdmin");
            }
            return View();
        }

After i remember to logoff and log back in so the permission i was given to the AD group were applied.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...