问题
In this ASP.NET MVC 3 intranet application (created using MVC 3 Intranet Application template), where users are authenticated automatically against AD, I'm trying to restrict access to a controller to users in the local Administrators group. In order to achieve this, I've tried to apply AuthorizeAttribute like so:
[Authorize(Roles = "Administrators")]
public class ElmahController : Controller
However, even though my AD user (the application reports the expected user has been authenticated) is in the local Administrators group, I cannot gain access to the controller when AuthorizeAttribute is applied. Only a blank page comes up. What am I doing wrong?
On the other hand, I've verified that specifying my particular user works:
[Authorize(Users = @"ad\arve")]
public class ElmahController : Controller
In this case, I can retrieve the restricted page successfully.
EDIT:
I found that qualifying the group with BUILTIN worked:
[Authorize(Roles = @"BUILTIN\Administrators")]
Is this the definitive way of referring to local groups via AuthorizeAttribute though??
回答1:
Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles
[Authorize(Roles = @"BUILTIN\Administrators")]
Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.
回答2:
You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.
Active Directory Authorization based on Groups
来源:https://stackoverflow.com/questions/8645846/how-do-i-make-authorizeattribute-work-with-local-administrators-group-in-asp-net