连接到域后无法访问C#,对域用户进行身份验证
[英]Authenticate domain user after connection to domain is inaccessible C#
问题描述
We have an MVC application that validates windows users by instantiating a principalcontext, locally and for domain users. 
我们有一个MVC应用程序,它通过实例化本地用户和域用户的主体上下文来验证Windows用户。 However, this immediately fails when a connection to the domain cannot be made. 但是,当无法建立到域的连接时,此操作立即失败。 Is there a way to leverage the capability of windows to still validate domain credentials when disconnected from the domain? 与域断开连接时,有没有办法利用Windows的功能来仍然验证域凭据?
We see that in SSMS you can also use windows authentication after the server has lost access to the domain. 我们看到,在SSMS中,当服务器失去对域的访问权限后,您还可以使用Windows身份验证。
To be clear, the machine is joined to the domain but does not have access to the domain controller, ie a corporate laptop that is taken home. 需要明确的是,该计算机已加入域,但无权访问域控制器,即带回家的公司笔记本电脑。
Thanks for the help in advance. 我在这里先向您的帮助表示感谢。
1 个解决方案
解决方案1
1 2019-08-15 15:32:55
The answer is in how Kerberos (and I believe NTLM is similar) works in that they use session tickets . 答案在于Kerberos(我相信NTLM是类似的)如何工作,因为它们使用会话票证 。 So once authentication is successful against a domain controller, you have a "ticket" that proves you authenticated. 因此,一旦针对域控制器的身份验证成功,您将获得“票证”以证明您已通过身份验证。 When you authenticate to anything else that requires Windows authentication, the ticket is sent. 当您对其他需要Windows身份验证的身份进行身份验证时,将发送票证。
To take advantage of this, you must use the built-in Windows authentication. 要利用此优势,必须使用内置的Windows身份验证。 You cannot take a username and password and try to authenticate them that way. 您不能使用用户名和密码,并尝试通过这种方式进行身份验证。
If everyone who uses your website can use Windows authentication - then you can enable it for your whole site. 如果使用您网站的每个人都可以使用Windows身份验证-那么您可以在整个网站上启用它。
If you have a mixed audience - some who have a domain account and some that don't - it's a little trickier, but still doable. 如果您的受众群体不一,有些人拥有域名帐户,有些人没有域名帐户,这会有些棘手,但仍然可行。 I've done it. 我做完了 You can look at the OWIN-MixedAuth project. 您可以查看OWIN-MixedAuth项目。 I haven't used that specifically. 我没有专门使用。
That project seems to use a separate button for the Windows authentication. 该项目似乎使用一个单独的按钮进行Windows身份验证。 When I did it, I made it seamless (it tries Windows auth and fails back to a login page). 完成此操作后,我实现了无缝连接(它尝试进行Windows身份验证,并失败回到登录页面)。 I did that by doing an AJAX request in the background to a page that requires Windows authentication, and if it succeeds, just forward on. 我是通过在需要Windows身份验证的页面的后台执行AJAX请求来完成此操作的,如果成功,则继续进行。 If it fails, show the login fields. 如果失败,请显示登录字段。
All that said, I don't know it will work if the server cannot reach the domain. 所有这些,我不知道如果服务器无法访问域,它将无法正常工作。 It will probably work for users who have already authenticated to the site before it lost connection to the domain, or if the site is hosted on the same computer that it is being accessed from. 对于在断开与域的连接之前已经向该站点进行身份验证的用户,或者该站点托管在与其进行访问的同一台计算机上,它可能会起作用。 But it might not work if a user it has never seen before tries to login while there is no access to the domain. 但是,如果在无法访问域的情况下以前从未见过的用户尝试登录,则可能无法正常工作。 You will have to test. 您将必须进行测试。
But the benefit of using Windows authentication anyway is that you can make the login seamless. 但是无论如何,使用Windows身份验证的好处是您可以使登录变得无缝。 As long as the site is in your Trusted Sites (in the Windows Internet Options) then IE and Chrome will automatically send the user's credentials. 只要该站点位于您的“受信任的站点”中(在Windows Internet选项中),IE和Chrome就会自动发送用户的凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.