特定Windows用户组的Windows身份验证

要提供/限制对特定用户/组的访问，需要在Web.config中进行适当的输入.

To provide/restrict access to specific users/groups, appropriate entries needs to be done in Web.config.

在Windows中，身份验证名称以DomainName\UserName或ComputerName\UserName格式输入.

In Windows authentication names are entered in the format DomainName\UserName or ComputerName\UserName.

在授权规则中列出用户时，需要使用相同的格式.例如，如果您在名为FARIAMAT的计算机上拥有用户帐户john和nolan，则可以使用这些授权规则.注意<allow>元素中的users属性.

You need to use the same format when listing users in the authorization rules. For example, if you have the user accounts john and nolan on a computer named FARIAMAT, you can use these authorization rules. Note the users attribute in <allow> element.

<authorization> 
<deny users="?" /> 
<!-- permit only specific users to have access -->
<allow users="FARIAMAT\john,FARIAMAT\nolan" /> 
<deny users="*" /> 
</authorization>

要允许名为Managers的NT组的所有用户访问您的资源，请使用以下代码.请注意<allow>元素中的roles属性.

To permit all users of an NT Group named Managers to have access to your resources, use the following code. Note the roles attribute in <allow> element.

<configuration>
  <system.web>
    <authorization>
  <!-- Format is:: <allow roles="DomainName\WindowsGroup" /> -->
      <allow roles="domainname\Managers" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

注意:: Windows组用作角色，格式为domainName\windowsGroup.通过使用BUILTIN前缀来引用诸如Administrators之类的组:

NOTE:: Windows groups are used as roles and they take the form domainName\windowsGroup. Groups such as Administrators are referenced by using the BUILTIN prefix as:

<authorization>
  <allow users="DomainName\john, DomainName\nolan" />
  <allow roles="BUILTIN\Administrators, DomainName\Manager" />
  <deny users="*" />
</authorization>