我正在使用 Active Directory 对 Intranet 站点的用户进行身份验证。我想根据用户在 Active Directory 中所在的组来优化经过身份验证的用户。有人可以向我展示或指导我如何在 ASP.NET 4.0 (VB) 中查找用户所在的组吗?
我意识到这篇文章已经很旧了,但我想我可以用我正在使用的流程来更新它。 (ASP.Net 4.0、VB)
如果在域上使用集成 Windows 安全性。
Page.User.IsInRole("domain\GroupName")如果您想检查除经过身份验证的用户之外的其他用户组成员身份。
检查具有相同用户主体的多个组的两个阶段:
Dim MyPrincipal As New System.Security.Principal.WindowsPrincipal _
(New System.Security.Principal.WindowsIdentity("UserID"))
Dim blnValid1 As Boolean = MyPrincipal.IsInRole("domain\GroupName")
单个团体签到的单一阶段:
Dim blnValid2 As Boolean = New System.Security.Principal.WindowsPrincipal _
(New System.Security.Principal.WindowsIdentity("userID")).IsInRole("domain\GroupName")
注意:: IsInRole 方法确实适用于嵌套组。如果您有一个顶级组,其中有一个作为成员的子组,并且该用户是该子组的成员。
我认为我有终极功能来获取用户的所有 AD 组,包括嵌套组,而无需显式递归:
导入 System.Security.Principal
Private Function GetGroups(userName As String) As List(Of String)
Dim result As New List(Of String)
Dim wi As WindowsIdentity = New WindowsIdentity(userName)
For Each group As IdentityReference In wi.Groups
Try
result.Add(group.Translate(GetType(NTAccount)).ToString())
Catch ex As Exception
End Try
Next
result.Sort()
Return result
End Function
所以只需使用 GetGroups("userID")。由于此方法使用用户的 SID,因此不会执行显式 LDAP 调用。如果您使用自己的用户名,它将使用缓存的凭据,因此此功能非常快。
Try Catch 是必要的,因为在大公司中,AD 太大,以至于一些 SID 会迷失在空间中。
对于那些可能感兴趣的人,这就是我最终编码的方式:
Dim ID As FormsIdentity = DirectCast(User.Identity, FormsIdentity)
Dim ticket As FormsAuthenticationTicket = ID.Ticket
Dim adTicketID As String = ticket.Name
Dim adSearch As New DirectorySearcher
adSearch.Filter = ("(userPrincipalName=" & adTicketID & ")")
Dim adResults = adSearch.FindOne.Path
Dim adResultsDirectory As New DirectoryEntry(adResults)
Dim found As Boolean = False
For Each entry In adResultsDirectory.Properties("memberOf")
Response.Write(entry)
Response.Write("<br/>")
If entry = "CN=GroupName,CN=UserGroup,DC=my,DC=domain,DC=com" Then
found = True
End If
Next
If Not (found) Then
Response.Redirect("login.aspx")
End If
我在这里找到了这个。
''' <summary>
''' Function to return all the groups the user is a member od
''' </summary>
''' <param name="_path">Path to bind to the AD</param>
''' <param name="username">Username of the user</param>
''' <param name="password">password of the user</param>
Private Function GetGroups(ByVal _path As String, ByVal username As String, _
ByVal password As String) As Collection
Dim Groups As New Collection
Dim dirEntry As New _
System.DirectoryServices.DirectoryEntry(_path, username, password)
Dim dirSearcher As New DirectorySearcher(dirEntry)
dirSearcher.Filter = String.Format("(sAMAccountName={0}))", username)
dirSearcher.PropertiesToLoad.Add("memberOf")
Dim propCount As Integer
Try
Dim dirSearchResults As SearchResult = dirSearcher.FindOne()
propCount = dirSearchResults.Properties("memberOf").Count
Dim dn As String
Dim equalsIndex As String
Dim commaIndex As String
For i As Integer = 0 To propCount - 1
dn = dirSearchResults.Properties("memberOf")(i)
equalsIndex = dn.IndexOf("=", 1)
commaIndex = dn.IndexOf(",", 1)
If equalsIndex = -1 Then
Return Nothing
End If
If Not Groups.Contains(dn.Substring((equalsIndex + 1), _
(commaIndex - equalsIndex) - 1)) Then
Groups.Add(dn.Substring((equalsIndex + 1), & _
(commaIndex - equalsIndex) - 1))
End If
Next
Catch ex As Exception
If ex.GetType Is GetType(System.NullReferenceException) Then
MessageBox.Show("Selected user isn't a member of any groups " & _
"at this time.", "No groups listed", _
MessageBoxButtons.OK, MessageBoxIcon.Error)
'they are still a good user just does not
'have a "memberOf" attribute so it errors out.
'code to do something else here if you want
Else
MessageBox.Show(ex.Message.ToString, "Search Error", & _
MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Try
Return Groups
End Function
End Class
要检查用户是否是某个组(包括子组)的成员,只需使用:
Public Function IsInGroup(objectName As String, groupName As String) As Boolean
Try
return New WindowsPrincipal(New WindowsIdentity(objectName)).IsInRole(groupName)
Catch ex As Exception
End Try
Return False
End Function