简体繁体 English

IIS 7.5和混合模式身份验证（单点登录）

[英]IIS 7.5 and mixed-mode authentication (single sign on)

原文 2010-10-12 13:04:04 8 2 c#/ iis/ mixed-mode

Has anyone managed to achieve this? 有没有人设法做到这一点？

Application should work like this: 应用程序应该像这样工作：

App admin can add AD users 应用管理员可以添加AD用户
App admin can define users not from AD 应用管理员可以定义非AD用户
If user is added from AD and trying to access to application from same AD - application should log him in automatically (single sign on). 如果从AD添加用户并尝试从同一AD访问应用程序-应用程序应自动将其登录（单次登录）。
If user is not from AD, or not added as application user - application login form is displayed 如果用户不是来自AD或未添加为应用程序用户-将显示应用程序登录表单

Just to mention, I managed to achieve this on IIS6. 仅提及一下，我设法在IIS6上实现了这一点。 I have read several techniques so far with IIS 7 and 7.5 involved, but it seems none of them really works when deployed on production server. 到目前为止，我已经阅读了涉及IIS 7和7.5的几种技术，但是当将它们部署在生产服务器上时，似乎没有一种技术真正起作用。

So far I have 2 separate web applications. 到目前为止，我有2个单独的Web应用程序。 One web application is configured with forms authentication - this one is main. 一个Web应用程序配置有表单身份验证-这是主要的。 Other is configured as windows authentication. 其他配置为Windows身份验证。

So idea is, user tries to acces to main application, this one redirects him to the other application which tries to extract his domain username (NTLM), and redirects him back to main application. 因此，想法是，用户尝试访问主应用程序，该用户将其重定向到另一个尝试提取其域用户名（NTLM）的应用程序，并将其重定向回主应用程序。 Main application tries to log him in as AD user, if this fails forms login is displayed. 主应用程序尝试以AD用户身份登录，如果失败，则会显示表单登录。 If AD user is added as application user (using separate admin module of application), he should be authenticated automatically, meaning no IIS login prompt should be displayed. 如果将AD用户添加为应用程序用户（使用应用程序的单独管理模块），则应自动对其进行身份验证，这意味着不应显示IIS登录提示。

These two applications are running in same application pool. 这两个应用程序在同一应用程序池中运行。 Also they are both in integrated pipeline mode. 而且它们都处于集成管道模式。

This works if I set it up on my development win7 IIS, but when I deploy application on win 2008 server with IIS 7.5 - it's not working. 如果我在开发win7 IIS上进行了设置，则此方法有效，但是当我在具有IIS 7.5的win 2008服务器上部署应用程序时-它无法正常工作。 I keep getting IIS login prompt. 我不断收到IIS登录提示。 If I enter my credentials to IIS login prompt it will eventually log me into application. 如果我在IIS登录提示中输入凭据，它将最终使我登录到应用程序。

Has anyone has similar issue and hopefully solved it? 有没有人有类似的问题，并希望能解决？

2 个解决方案

Please update the question with the info you have provided. 请使用您提供的信息更新问题。

As I understand, these two applications are in the same app pool and I believe you need to separate them into two app pools. 据我了解，这两个应用程序位于同一个应用程序池中，我相信您需要将它们分成两个应用程序池。

Progress update - this authentication works now as expected (I didn't have to split app pools). 进度更新-此身份验证现在可以按预期运行（我不必拆分应用程序池）。 Problem was that on machine accessing application, app server hasto be registered as Local intranet. 问题是在访问应用程序的计算机上，必须将应用程序服务器注册为本地Intranet。 This is a must in order to IE sends credentials to server. 为了使IE向服务器发送凭据，这是必须的。