c# - IIS Express 中使用 Active Directory 的 MVC 身份验证/授权

Question

http://forums.asp.net/t/1894061.aspx?ASP+NET+MVC+integration+with+Active+Directory

关于上面的帖子。

我一直在尝试使用 IIS Express 为我使用 Visual Studio 2013 的本地开发环境实现 Active Directory 安全性。目前我已经修改了 IIS Express 以允许我覆盖 applicationhost.config 中的身份验证方法。如本文所述

IIS Express Windows Authentication

此外，我还使默认的 applicationpool 用户成为有效的域管理员。我修改了基本 MVC 站点的 Home Controller 上的 Authorize 属性。然后在家庭 Controller 上添加以下代码，如我提到的第一篇文章中所建议的那样。代码如下。当我浏览到这个页面时，它只显示我所属的本地机器的组。它不显示我所属的域的组。因此，我实际上无法授权我的域中的任何组，仅限本地存在的组。这是为什么？任何帮助都会有所帮助。

<h2>Logged in as: @User.Identity.Name</h2>
<h2>Groups</h2>
<ul>
@{
    var id = User.Identity as System.Security.Principal.WindowsIdentity;
    foreach(var g in id.Groups)
    {
        var name = g.Translate(typeof(System.Security.Principal.NTAccount)).Value;
        var nameWithoutAuthority = name;
        var idx = name.IndexOf('\\');
        if (idx >= 0)
        {
            nameWithoutAuthority = name.Substring(idx + 1);
        }
        <li>@g.Value,
            @name,
            @User.IsInRole(name),
            @nameWithoutAuthority,
            @User.IsInRole(nameWithoutAuthority)
        </li>
    }
}
</ul>

Answer 1

您看到的行为似乎是设计使然，请参阅 Which Groups Does WindowsIdentity.Groups Return?

总结

Under the covers, WindowsIdentity populates the groups collection by querying Windows for information on the groups that the user token is a member of. However, before returning this list, the Groups property filters out some of the returned groups.

Specifically, any groups which were on the token for deny-only will not be returned in the Groups collection. Similarly, a group which is the SE_GROUP_LOGON_ID will not be returned.

...If you want to retrieve all of the groups however, there's not an easy built-in way for you to do this. Instead, you'll have to P/Invoke to the GetTokenInformation API to retrieve the groups yourself.

public static void Main()
{
    using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
    {               
        var groups = // Get all of the groups from our account, and translate them from IdentityReferences to NTAccounts  
                    from groupIdentity in currentIdentity.Groups
                    where groupIdentity.IsValidTargetType(typeof(NTAccount))
                    select groupIdentity.Translate(typeof(NTAccount)) as NTAccount into ntAccounts

                    // Sort the NTAccounts by their account name
                    let domainName = ntAccounts.GetDomainName()
                    let groupName = ntAccounts.GetAccountName()
                    orderby domainName

                    // Group the sorted accounts by the domain they belong to, and sort the grouped groups by domain name
                    group ntAccounts by domainName into domainGroups
                    orderby domainGroups.Key
                    select domainGroups;

        foreach (var domainGroups in groups)
        {
            Console.WriteLine("Groups from domain: {0}", domainGroups.Key);

            foreach (var group in domainGroups)
            {
                Console.WriteLine("    {0}", group.GetAccountName());
            }
        }
    }
}

private static string GetDomainName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split.Length == 1 ? String.Empty : split[0];
}

private static string GetAccountName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split[split.Length - 1];
}