How to create admin roles in Active Directory and restrict pages in my application

问题

In my application using Windows Authentication, I have been manually creating user roles/ membership stored in SQL (System.Web.Security.SqlRoleProvider enabled in web.config).

 <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="connMembership" applicationName="/" />

But now, as I am releasing the application, I need to change to using the company's Active Directory groups

<add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName"   />

AND

    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />

I have two questions (sorry I am really new to all this!)

1) using ActiveDirectoryMembershipProvider and WindowsTokenRoleProvider now in my web.config, how do I restrict user access into different pages of the app? (i.e. is using Roles.IsUserInRole(username, "ADGroupName") the only way?

2) How do I create an "admin" kind of role using Active Directory? I am asking because before (when still using SqlRoleProvider) I was able to create for myself an Admin group to add myself to in SQL which has access to all pages/functionalities

i.e Roles.AddUserToRole(userName, Admin). 

But now since I am part of a restricted AD group, I don't know how to override with some form of Admin security group to add myself to.

WOuld really appreciate your advice!!

Thanks!

回答1:

This is to answer your question, if there is another way for putting restriction on the page access, yes you can from the Web.config

In the Web.Config file, you may add the following for each page:

<authentication mode="Windows" />

<location path="MyPage1.aspx">
    <system.web>
      <authorization>
        <allow roles="ActiveDirectoryRoleName" />
        <allow users="DOMAIN\USER1, DOMAIN\USER2" />
        <deny users="*" />
      </authorization>
    </system.web>
</location>

Or if you want to put the restriction globally for the website, then:

<authentication mode="Windows" />

<authorization>
    <allow roles="ActiveDirectoryRoleName" />
<allow users="DOMAIN\USER1, DOMAIN\USER2" />
    <deny users="*" />
</authorization>

来源：https://stackoverflow.com/questions/12559457/how-to-create-admin-roles-in-active-directory-and-restrict-pages-in-my-applicati