简体繁体 English

.NET OWIN身份验证 - Cookie + Windows（活动目录）

[英].NET OWIN Authentication - Cookie + Windows (active directory)

原文 2015-03-26 10:09:43 1 2 c#/ asp.net/ authentication/ active-directory/ owin

I'm currently working on a project which has an authentication requirement which is causing me some problems and I'd like some guidance on the best way to achieve it. 我目前正在开发一个具有身份验证要求的项目，这会导致我遇到一些问题，并且我希望获得有关实现它的最佳方法的一些指导。

I have an internet C# MVC 5 project which currently has OWIN cookie authentication in place for external users. 我有一个互联网C＃MVC 5项目，目前为外部用户提供OWIN cookie认证。 We now need to allow internal users to be able to access the application through Active Directory. 我们现在需要允许内部用户通过Active Directory访问应用程序。 Basically, an internal user would log in to their Windows computer, navigate to the website and they'll be signed in. 基本上，内部用户将登录到他们的Windows计算机，导航到该网站，他们将登录。

I don't have any experience of doing AD authentication, so it's a bit of a black hole at the moment. 我没有任何做AD身份验证的经验，所以现在它有点像黑洞。

I'm assuming, using OWIN, I need to create a new authentication middleware that can run before my cookie authentication. 我假设，使用OWIN，我需要创建一个新的身份验证中间件，可以在我的cookie身份验证之前运行。

However, I'm not sure where to start with setting this AD middleware up, or whether there is an existing one I can use. 但是，我不知道从哪里开始设置这个AD中间件，或者是否存在我可以使用的现有设备。

I've tried searching around but can't seem to find much information on doing AD authentication through OWIN, there's just a lot about Azure AD. 我已经尝试过搜索但似乎无法通过OWIN找到有关进行AD身份验证的更多信息，其中有很多关于Azure AD的信息。

I did come across this one https://github.com/MohammadYounes/OWIN-MixedAuth , but running locally, it's using Windows basic authentication, perhaps this can be adjusted for my purposes? 我确实遇到过这一个https://github.com/MohammadYounes/OWIN-MixedAuth ，但是在本地运行，它使用的是Windows基本身份验证，也许这可以根据我的目的进行调整？

Could someone offer some advice on how to achieve this? 有人可以提供一些如何实现这一目标的建议吗？

Thank you! 谢谢！

2 个解决方案

I was facing the same problem not-so-long ago, and went the route to use NTLM authentication (which boils down to what you want, intranet users will be "signed-in" automatically) while keeping full application accounts (ASP:NET Identity 2.0), you may want to check my OWIN NTML authentication middleware: 我不是很久以前面临同样的问题，并且使用NTLM身份验证（可归结为您想要的内容，内网用户将自动“登录”），同时保留完整的应用程序帐户（ASP：NET） Identity 2.0），您可能想检查我的OWIN NTML身份验证中间件：

https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm

You will need to add a route to you "accounts controller" to handle the sign-in with NTLM and the creation of a local application account (if required). 您需要向“帐户控制器”添加路由以处理使用NTLM的登录以及创建本地应用程序帐户（如果需要）。 As a comfort-feature you could add an automatic redirect to that sign-in route for users from your intranet. 作为一种舒适功能，您可以为Intranet中的用户添加自动重定向到该登录路由。

I hope this helps. 我希望这有帮助。

The link you came across is using Integrated Windows authentication NOT basic authentication . 您遇到的链接是使用Integrated Windows authentication NOT basic authentication 。

I think your situation is similar to this one . 我认为你的情况与此类似。 The same can be achieved using OWIN-MixedAuth as per this comment . 根据此评论，使用OWIN-MixedAuth可以实现相同的目的。