我有一个asp.net5项目设置来使用Windows身份验证。当我设置一个断点并查看用户时,我发现有一个包含Group SID的Claims数组。如何从索赔中获取实际的组名?
我正在尝试使用他们所属的活动目录组限制登录用户的窗口,并且我正在努力设置它。
问题: 如何查看登录用户所属的活动目录组? 如何将GroupSID转换为组名? 我是否需要在startup.cs中包含任何内容以限制某些组进行REST服务调用?
我看到了根据登录用户手动设置声明的示例。我有兴趣使用Windows身份验证用户及其组限制访问。
由于
答案 0 :(得分:20)
您实际上仍然可以使用以下内容获取组名称:
var test = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3290390516-4063083420-3538132138-1146").Translate(typeof(System.Security.Principal.NTAccount)).ToString();
例如:
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
输出:
(namespace).Authorization.Handlers.SiteHandler: Information: Got 18 roles
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\Domain Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role Everyone
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Backend
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Dashboards
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Performance Log Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\INTERACTIVE
(namespace).Authorization.Handlers.SiteHandler: Information: Got role CONSOLE LOGON
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\Authenticated Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\This Organization
(namespace).Authorization.Handlers.SiteHandler: Information: Got role LOCAL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_BE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)Developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_TEST
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DB_ALL
注意,填充域角色可能需要一两秒钟。
答案 1 :(得分:6)
你不是。不幸的是,这不是Windows身份验证的工作方式。您只能检查用户是否在某个角色中(并且有一个策略要求),而不是枚举他们所处的角色 - 这需要目录服务并且尚未移植到核心。
(有一点需要注意的是,对于Windows身份,错误,User.IsInRole()现在已被破坏。这将在RC2中修复)
答案 2 :(得分:4)
另一种选择(类似于@ JosephGarrone的解决方案):
private string[] GetGroups1()
{
var groups = new List<string>();
var wi = (WindowsIdentity)User.Identity;
if (wi.Groups != null)
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
} catch (Exception) {
// ignored
}
}
groups.Sort(); // optional
return groups.ToArray();
}
答案 3 :(得分:1)
由于我没有足够的代表来添加评论,因此仅添加答案以帮助澄清最受好评的答案中的某些内容。
该答案不会打印出实际的广告组名称。在foreach循环中将role替换为name将打印出AD组的名称。
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}