问题
We were asked to move our NodeJS app to run under IIS (Windows Server 2012R2) and integrate with an existing Active Directory. We were requested to remove the login page, and instead use Windows Authentication to get the (already authenticated) user's ID, and the use the groups he/she belongs to, to control their authorization level within the app.
I've installed iisnode to run my app under IIS, and figured I'll use either passport-windowsauth, or node-activedirectory to get the group memebership. However, both require user/password to authenticate the user. My user is already authenticated, and I have no access to his password (nor should I).
How do I go about getting an authenticated user's groups from Active Directory?
Here's what I have so far:
- Installed and configured iisnode
- Enabled Windows Authentication for the web app
- Added this to web.config:
<iisnode promoteServerVars="AUTH_USER,AUTH_TYPE" /> - In my
index.jsfile, I can thenconsole.log(req.headers['x-iisnode-auth_user']);and get the correct user name - but I don't know how to proceed from here to getting his/her groups - Under no circumstances do I want to re-ask the user for his/her password
回答1:
Well, seems like no one is interested in looking at this question :). I'm assuming IIS + Node.js + Active Directory is an edge case. Here's how I ended up solving this one:
- Add a special user to the Active Directory that can only be logged into from the IIS machine (bonus: limit the IP/process/access of that user).
- Add the AD details, user name, and password to
config.jsonfile (see snippet).
Make sure you add the file to.gitignoreso it won't end up in repo. - Use node-ActiveDirectory to first sign in as the user from step 1, and then ask for the groups of the logged in user (see snippet).
来源:https://stackoverflow.com/questions/36341909/get-authenticated-users-groups-from-active-directory-in-node