简体繁体 English

ASP.NET / IIS 安全性（Windows 身份验证）

[英]ASP.NET / IIS Security (Windows Authentication)

原文 2011-06-28 20:34:38 6 3 asp.net/ windows/ security/ authentication/ iis

This will probably turn out to be a doozie.这可能会变成一个doozie。

I'm developing an application in ASP.NET to be put on our company's intranet site.我正在开发 ASP.NET 中的应用程序，以放在我们公司的 Intranet 站点上。 I've been handed a specification in regards to security and have no idea how to do it.我已收到有关安全性的规范，但不知道该怎么做。

First part: The application is to use Windows Authentication.第一部分：应用程序是使用 Windows 身份验证。 This part seems easy enough;这部分似乎很容易； I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'.我在管理工具中打开 IIS，右键单击我的网站节点，属性并选中“集成 Windows 身份验证”。 However, I have no idea how I will govern which people have access to my site.但是，我不知道如何管理哪些人可以访问我的网站。 I'm thinking this should be taken care of at the database level.我认为这应该在数据库级别进行处理。 This is Q#1这是Q#1

Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application.第二部分——我必须为以下场景实现一个流程：用户“Jane”可以登录到我们的网络，但对我的应用程序没有权限。 User 'Bob' does have rights to use my application.用户“Bob”确实有权使用我的应用程序。 Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). Bob 需要能够坐在 Jane 的计算机（在她的网络帐户下），但能够将他的凭据输入我的应用程序并使用它（即使 Jane 已登录到本地计算机和网络）。 This is Q#2这是Q#2

Any help, general direction, or advice would be appreciated.任何帮助、一般方向或建议将不胜感激。 The winning lottery numbers would be appreciated even more.中奖彩票号码将更加感激。

Thanks,谢谢，

Jason杰森

3 个解决方案

You're looking for Windows Authentication and Authorization in ASP.NET您正在寻找 ASP.NET 中的 Windows 身份验证和授权

Part 2...you're right, that's tough.第 2 部分...你是对的，这很难。 You'll need to roll your own custom security provider.您需要推出自己的自定义安全提供程序。 You'll have a login page, then check that against Active Directory yourself.您将拥有一个登录页面，然后您自己对照 Active Directory 进行检查。 From MSDN来自MSDN

ASP.NET also supports custom solutions for using Windows authentication, which bypasses IIS authentication. ASP.NET 还支持使用 Windows 身份验证的自定义解决方案，绕过 IIS 身份验证。 For example, you can write a custom ISAPI filter that checks the user's credentials against Active Directory.例如，您可以编写一个自定义 ISAPI 过滤器，根据 Active Directory 检查用户的凭据。 With this approach you must manually create a WindowsPrincipal object.使用这种方法，您必须手动创建一个 WindowsPrincipal object。

You've got requirements around authentication and authorization here.您在这里有关于身份验证和授权的要求。

Authentication : The act of confirming identity Authentication : 确认身份的行为
Authorization : The act of correlating an identity to a privilege (eg Read/Write/Delete)授权：将身份与特权相关联的行为（例如读/写/删除）

Windows Authentication is useful if you want "auto-signon" capability. Windows 如果您想要“自动登录”功能，身份验证很有用。 The site will "know" the user by ID without them having to sign in.该站点将通过 ID“了解”用户，而无需登录。

The need for users to login from multiple locations means that you must implement a login page.用户需要从多个位置登录意味着您必须实现登录页面。 This would fulfill your requirement in which one user may sit at another's workstation and log in.这将满足您的要求，即一个用户可以坐在另一个工作站上并登录。

You will want to authenticate users against the Windows domain.您需要根据 Windows 域对用户进行身份验证。 This can be done with a custom membership provider.这可以通过自定义成员资格提供程序来完成。 Here's a walkthrough:这是一个演练：

http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx

This will allow you to present a login page that will authenticate users with their domain username and password.这将允许您显示一个登录页面，该页面将使用其域用户名和密码对用户进行身份验证。 This will authenticate users- the identity of the user will be stored in the HttpContext.User .这将对用户进行身份验证——用户的身份将存储在HttpContext.User中。 You can then also maintain a user list in a database to store authorization data.然后，您还可以在数据库中维护用户列表以存储授权数据。