IIS 重写模块 Windows 认证
[英]IIS Rewrite Module Windows Authentication
问题描述
I have two asp.net web applications.
我有两个 asp.net web 应用程序。 One of the applications is main mvc web app and the second is web app acting as reverse proxy containing only one file - web.config.其中一个应用程序是主 mvc web 应用程序,第二个是 web 应用程序充当反向代理,仅包含一个文件 - web.config。 Reverse proxy doesn't have any authentication mode enabled but main app has windows authentication.反向代理未启用任何身份验证模式,但主应用程序具有 windows 身份验证。 When accessing app through reverse proxy, in browser appears popup asking for windows credentials.通过反向代理访问应用程序时,浏览器中会出现弹出窗口,询问 windows 凭据。 Is it possible to somehow pass one domain user through all reverse proxy requests?是否可以通过所有反向代理请求以某种方式传递一个域用户? When reverse proxy redirect request it adds custom headers.当反向代理重定向请求时,它会添加自定义标头。 Is it possible to pass user from iis pool or somehow hard coded so all reverse proxy request can pass through windows auth to main app and then user can authenticate through normal login page?是否可以将用户从 iis 池传递或以某种方式硬编码,以便所有反向代理请求都可以通过 windows 身份验证传递到主应用程序,然后用户可以通过正常登录页面进行身份验证? The goal is access main app through reverse proxy without entering windows credentials.目标是通过反向代理访问主应用程序,而无需输入 windows 凭据。 Disabling windows auth on main app is not possible.无法在主应用程序上禁用 windows 身份验证。 Thanks for answers.感谢您的回答。
Reverse proxy web.config反向代理 web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)"/>
<action type="Rewrite" url="https://main-app.com/{R:1}"/>
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}"/>
<set name="HTTP_ACCEPT_ENCODING" value=""/>
<set name="HTTP_CUSTOM_ZEW_HEADER" value="True"/>
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://main-app.com/(.*)"/>
<action type="Rewrite" value="http{R:1}://main-app.com/{R:2}"/>
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)"/>
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}"/>
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html"/>
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+"/>
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
1 个解决方案
解决方案1
1 已采纳 2020-08-14 02:45:27
It is not possible to forward the REMOTE_USER header because when the Authorization header is present, the request is forwarded before the authentication module runs, and therefore auth server variables are not set (when mapped to headers they simply come through blank).无法转发REMOTE_USER header 因为当授权 header 存在时,请求在身份验证模块运行之前被转发,因此未设置身份验证服务器变量(当映射到标头时,它们只是通过空白出现)。
You could use the custom HTTP module which sends the authenticated user custom header.您可以使用自定义 HTTP 模块,该模块发送经过身份验证的用户自定义 header。
another way is you could set SPN:另一种方法是您可以设置 SPN:
https://docs.microsoft.com/en-us/archive/blogs/benjaminperkins/configure-application-request-routing-with-windows-authentication-kerberos https://docs.microsoft.com/en-us/archive/blogs/benjaminperkins/configure-application-request-routing-with-windows-authentication-kerberos
https://docs.microsoft.com/en-us/archive/blogs/asiatech/a-quick-solution-when-windows-authentication-is-required-on-backend-web-server-for-arr-scenario https://docs.microsoft.com/en-us/archive/blogs/asiatech/a-quick-solution-when-windows-authentication-is-required-on-backend-web-server-for-arr-scenario
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.