您的位置: 首页  >  技术问答  >  从节点中的Active Directory获取经过身份验证的用户组

从节点中的Active Directory获取经过身份验证的用户组

分类: 技术问答 2022-05-08 22:57:25
问题描述:

我们被要求将NodeJS应用程序移至IIS(Windows Server 2012R2)下运行,并与现有的Active Directory集成。我们被要求删除登录页面,而是使用Windows身份验证来获取(已通过身份验证的)用户ID,并使用他/她所属的组来控制其在应用程序中的授权级别。

We were asked to move our NodeJS app to run under IIS (Windows Server 2012R2) and integrate with an existing Active Directory. We were requested to remove the login page, and instead use Windows Authentication to get the (already authenticated) user's ID, and the use the groups he/she belongs to, to control their authorization level within the app.

我已经安装了 iisnode 在IIS下运行我的应用,我将使用 passport-windowsauth 节点活动目录以获取组成员身份。但是,两者都需要用户/密码来认证用户。我的用户已已通过身份验证,并且我无权访问他的密码(也不应)。

I've installed iisnode to run my app under IIS, and figured I'll use either passport-windowsauth, or node-activedirectory to get the group memebership. However, both require user/password to authenticate the user. My user is already authenticated, and I have no access to his password (nor should I).

我该如何从Active Directory中获取经过身份验证的用户组?

How do I go about getting an authenticated user's groups from Active Directory?

这就是我要做什么到目前为止:


  1. 已安装并配置iisnode

  2. 为网络应用程序

  3. 已将其添加到web.config中:< iisnode upgradeServerVars = AUTH_USER,AUTH_TYPE />

  4. 在我的 index.js 文件中,然后我可以 console.log(req.headers ['x-iisnode-auth_user ']); 并获取正确的用户名-但我不知道如何从此处开始获取他/她的群组

  5. 在任何情况下都不会做我想重新询问用户的密码

  1. Installed and configured iisnode
  2. Enabled Windows Authentication for the web app
  3. Added this to web.config: <iisnode promoteServerVars="AUTH_USER,AUTH_TYPE" />
  4. In my index.js file, I can then console.log(req.headers['x-iisnode-auth_user']); and get the correct user name - but I don't know how to proceed from here to getting his/her groups
  5. Under no circumstances do I want to re-ask the user for his/her password


好吧,好像没有人有兴趣研究这个问题:)。我假设IIS + Node.js + Active Directory是一个很好的例子。
这是我最终解决此问题的方法:

Well, seems like no one is interested in looking at this question :). I'm assuming IIS + Node.js + Active Directory is an edge case. Here's how I ended up solving this one:


  1. 向Active Directory添加只能从以下位置登录的特殊用户IIS计算机(奖金:限制该用户的IP /进程/访问)。

  2. 将AD详细信息,用户名和密码添加到 config.json 文件(请参阅片段)。

    确保添加将文件保存到 .gitignore ,这样它就不会在回购中结束。

  3. 使用 node-ActiveDirectory 首先以步骤1的用户身份登录,然后要求已登录用户的组(请参见代码段)。

  1. Add a special user to the Active Directory that can only be logged into from the IIS machine (bonus: limit the IP/process/access of that user).
  2. Add the AD details, user name, and password to config.json file (see snippet).
    Make sure you add the file to .gitignore so it won't end up in repo.
  3. Use node-ActiveDirectory to first sign in as the user from step 1, and then ask for the groups of the logged in user (see snippet).

相关推荐