[英]Asp.net mvc 3 Windows Authentication with Login form
I have already created a form authentication application. 我已经创建了表单身份验证应用程序。 I had User table and created a custom membership provider.
我有用户表,并创建了一个自定义成员资格提供程序。 My user table has relations with other tables such as roles and permissions.
我的用户表与其他表有关系,例如角色和权限。
I change that to work using Windows Authentication. 我将其更改为使用Windows身份验证可以工作。 It looks easy but I have no clue how to still be able to read permissions from my tables?
看起来很简单,但是我不知道如何仍然能够从表中读取权限? some tables are related to User table and requires user id, what to do here?
一些表与User表相关,并且需要用户ID,在这里该怎么做? should I break the foreign key?
我应该打破外键吗?
If a user is accessing the page from LAN, s/he should get logged automatically, but if they accessed the application over internet, I should allow them to login? 如果用户正在通过LAN访问该页面,则他/他应该被自动登录,但是如果他们通过Internet访问该应用程序,我应该允许他们登录吗? How to do this?
这个怎么做? What passwords should they use to login (active directory or my User table)?
他们应该使用什么密码登录(活动目录或我的用户表)?
I hope i get simple and easy answers. 我希望我能得到简单容易的答案。
Regards 问候
If you use Windows authentication, the user is going to be prompted for credentials just to access your site. 如果您使用Windows身份验证,则将提示用户输入凭据,仅用于访问您的站点。 You won't be able to prevent that.
您将无法防止这种情况。 They won't even get to your code until they are authenticated.
在通过身份验证之前,他们甚至不会进入您的代码。
We've done similar things using SSO (single sign-on), though I've never tied it to Windows authentication. 尽管我从未将其绑定到Windows身份验证,但我们已经使用SSO(单点登录)完成了类似的操作。 The idea would be that you have two apps that share user credentials and, if you are logged into one, you are logged into the other.
这样的想法是,您有两个共享用户凭据的应用程序,并且如果登录到一个,则登录到另一个。 The first app would be your normal application which supports forms-based authentication.
第一个应用程序是支持基于表单的身份验证的普通应用程序。 The second would be an app that only does Windows authentication and then, upon successful login, redirects to your normal application.
第二个是仅执行Windows身份验证的应用程序,然后在成功登录后重定向到您的普通应用程序。 Since you're already authenticated, the normal application simply creates it's standard authentication cookie and takes you to the main page of the application.
由于您已经通过身份验证,因此普通应用程序只需创建它的标准身份验证cookie,然后将您带到应用程序的主页。
Typically these work by passing a token in the URL which you can then redeem via a back channel to the SSO server (or, in your case the Windows authentication server) to confirm that the token is authentic. 通常,这些方法是通过在URL中传递令牌来进行的,然后您可以通过反向通道将令牌赎回到SSO服务器(或Windows身份验证服务器)中,以确认令牌是真实的。 The response to the back channel call contains the user name and other pertinent details if the token is successfully redeemed.
如果成功兑换了令牌,则对反向通道调用的响应将包含用户名和其他相关详细信息。
A sketch of the process might look like: 该过程的草图可能如下所示:
In your controllers you can use User.Identity.Name
to get the users AD username. 在控制器中,您可以使用
User.Identity.Name
来获取用户的AD用户名。 You can then add a field to your users table called ADUSername (or update the values in the existing username field) so that you can link the logged in user to the existing user record in your database. 然后,可以将一个名为ADUSername的字段添加到用户表(或更新现有用户名字段中的值),以便可以将登录的用户链接到数据库中的现有用户记录。
You don't have to do anything, if the user is accessing it from an external network or any machine that is not on the domain the browser will pop up a username/password prompt. 您无需执行任何操作,如果用户正在从外部网络或不在域中的任何计算机上访问它,则浏览器将弹出用户名/密码提示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.