AspNet5 - Windows身份验证从声明获取组名

问题描述 投票:10回答:4

我有一个asp.net5项目设置来使用Windows身份验证。当我设置一个断点并查看用户时,我看到有一个包含Group SID的Claims数组。如何从索赔中获取实际的组名?

我试图限制用户使用他们所属的活动目录组登录的窗口,并且我正在努力设置它。

问题:如何查看登录用户所属的活动目录组?如何将GroupSID转换为组名?我是否需要在startup.cs中包含任何内容以限制某些组进行REST服务调用?

我看到了根据登录用户手动设置声明的示例。我有兴趣使用Windows身份验证用户及其组限制访问。

谢谢

asp.net-core asp.net-core-mvc
4个回答
6
投票

你没有。不幸的是,这不是Windows身份验证的工作方式。您只能检查用户是否在角色中(并且有一个策略要求),而不是枚举他们所处的角色 - 这需要目录服务并且尚未移植到核心。

(需要注意的一点是,对于Windows身份,错误,User.IsInRole()现在已被破坏。这将在RC2中修复)


20
投票

您实际上仍然可以使用以下方法获取组名:

var test = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3290390516-4063083420-3538132138-1146").Translate(typeof(System.Security.Principal.NTAccount)).ToString();

例如:

var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);

_logger.LogInformation($"Got {roles.Count()} roles");

foreach (var role in roles)
{
    var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
    _logger.LogInformation($"Got role {name}");
}

输出:

(namespace).Authorization.Handlers.SiteHandler: Information: Got 18 roles
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\Domain Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role Everyone
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Backend
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Dashboards
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Performance Log Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\INTERACTIVE
(namespace).Authorization.Handlers.SiteHandler: Information: Got role CONSOLE LOGON
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\Authenticated Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\This Organization
(namespace).Authorization.Handlers.SiteHandler: Information: Got role LOCAL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_BE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)Developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_TEST
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DB_ALL

请注意,填充域角色可能需要一两秒钟。


4
投票

另一种选择(类似于@ JosephGarrone的解决方案):

private string[] GetGroups1()
{
    var groups = new List<string>();

    var wi = (WindowsIdentity)User.Identity;
    if (wi.Groups != null)
    foreach (var group in wi.Groups)
    {
        try
        {                                
            groups.Add(group.Translate(typeof(NTAccount)).ToString());
        } catch (Exception) {
        // ignored
        }
    }

    groups.Sort(); // optional
    return groups.ToArray();
}

1
投票

只添加一个答案,以帮助澄清最受欢迎的答案中的内容,因为我没有足够的代表来添加评论。

该答案不会打印出实际的AD组名称。在foreach循环中用role替换name将打印出AD组的名称。

var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);

_logger.LogInformation($"Got {roles.Count()} roles");

foreach (var role in roles)
{
    var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
    _logger.LogInformation($"Got role {name}");
} 
热门问题
推荐问题
最新问题