堆栈内存溢出
  简体   繁体   English

ASP.Net MVC 3登录和Windows身份验证

[英]ASP.Net MVC 3 Login and Windows Authentication

 原文  2011-12-06 07:58:20       c#/ asp.net/ asp.net-mvc/ asp.net-mvc-3

问题描述

I am working on an ASP.Net MVC 3 application and I am having a User table that stores usernames and their passwords. 我正在开发一个ASP.Net MVC 3应用程序,我有一个用户表来存储用户名和密码。 I have created an additional ADUsername (stores Active Directory's Domain/Username). 我创建了一个额外的ADUsername(存储Active Directory的域/用户名)。

I am trying to do the following: 我正在尝试执行以下操作:

  1. Users running the application from Intranet should not see login page. 从Intranet运行应用程序的用户不应该看到登录页面。 Their Domain/Username should be received automatically and compared against ADUsername field. 应自动接收其域/用户名,并与ADUsername字段进行比较。

  2. Users running the application from internet (out of the local network) or users with no ADUsername value: should see the login screen and they should use my custom Username and Password fields to login. 从Internet(本地网络外)或没有ADUsername值的用户运行应用程序的用户应该看到登录屏幕,他们应该使用我的自定义用户名和密码字段登录。

This was very easy using Visual Studio Development Server and very difficult using IIS :) 使用Visual Studio开发服务器非常容易,使用IIS非常困难:)

As I set my Web.Config to use forms, I am using WindowsIdentity.GetCurrent().Name to get the current ADUsername and then, I lookup my User table to find the user and FormsAuthentication.SetAuthCookie him. 当我将Web.Config设置为使用表单时,我使用WindowsIdentity.GetCurrent()。Name来获取当前的ADUsername然后,我查找我的User表以查找用户和FormsAuthentication.SetAuthCookie他。

Using IIS is always returning APPPOOL\\ASP.NET v4.0 user which is not reflecting the domain/user I needed. 使用IIS总是返回APPPOOL \\ ASP.NET v4.0用户,这不反映我需要的域/用户。

Any Help? 任何帮助?

2 个解决方案

解决方案1
 15 已采纳  2011-12-07 05:36:00

This is not an easy task to accomplish. 这不是一件容易完成的任务。 The Windows identity of your intranet user will only be available to you when Windows Authentication in IIS is enabled, an anonymous authentication disabled. 只有在启用IIS中的Windows身份验证,禁用匿名身份验证时,才能使用Intranet用户的Windows身份。 When the user's browser hits the server, IIS will perform the NTLM challenge/response process to validate the user. 当用户的浏览器命中服务器时,IIS将执行NTLM质询/响应过程以验证用户。 Note that this challenge/response actually occurs on every individual HTTP request, not just once. 请注意,此质询/响应实际上发生在每个单独的HTTP请求上,而不仅仅是一次。

The problem with this mechanism is that your Forms authentication will no longer be used, as it kicks in after Windows authentication runs, and failing to authenticate just triggers an IIS access-denied - not fallback to Forms authentication. 此机制的问题在于,您的Forms身份验证将不再使用,因为它在Windows身份验证运行后启动,并且无法进行身份验证只会触发IIS访问被拒绝 - 而不是回退到Forms身份验证。

To build a hybrid, you will need to: 要构建混合体,您需要:

  1. Set up your main web application to authenticate users with Forms authentication. 设置主Web应用程序以使用Forms身份验证对用户进行身份验证。 Set web.config like this. 像这样设置web.config。 Generate your own machine key - this is key to ensure cookie sharing works 生成您自己的机器密钥 - 这是确保cookie共享工作的关键 

     <authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" path="/" enableCrossAppRedirects="true" name=".ASPXFORMSAUTH" protection="All" /> </authentication> <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true"/> <windowsAuthentication enabled="false"/> </authentication> </security></system.webServer>

  2. Create a new, separate web app to use purely for the NTLM authentication. 创建一个新的独立Web应用程序,仅用于NTLM身份验证。 It will authorize then redirect to the main application. 它将授权然后重定向到主应用程序。 Sorry, the two apps can't be combined. 抱歉,这两个应用无法合并。

  3. In NTLM web app, change web.config Authentication mode like below: 在NTLM Web应用程序中,更改web.config身份验证模式,如下所示: 

    <authentication mode="Windows">       
    </authentication>   
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
                decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />
<system.webServer>
    ....
    <security>
      <authentication>
        <windowsAuthentication enabled="true"/>
        <anonymousAuthentication enabled="false"/>
      </authentication>
      <ipSecurity>
        <!-- put whatever here to restrict to your LAN
        <add ..../>
        -->
      </ipSecurity>
    </security>
  </system.webServer>

  1. In NTLM webapp, the controller does one thing - extract username from (WindowsPrincipal)Thread.CurrentPrincipal(); 在NTLM webapp中,控制器做了一件事 - 从(WindowsPrincipal)Thread.CurrentPrincipal()中提取用户名; and calls FormsAuthentication.SetAuthCookie(..). 并调用FormsAuthentication.SetAuthCookie(..)。 Then redirect to the main web app. 然后重定向到主Web应用程序。 Do not use WindowsIdentity.GetCurrent() as it will not be accurate without impersonation enabled [see msdn.microsoft.com/en-us/library/ff647076.aspx] which you don't want to be using 不要使用WindowsIdentity.GetCurrent(),因为如果没有启用模拟,它将不准确[请参阅msdn.microsoft.com/en-us/library/ff647076.aspx]您不想使用它

  2. You cannot test any of this under Cassini or IIS Express; 您无法在Cassini或IIS Express下测试任何此类内容; you must use IIS 7.5. 您必须使用IIS 7.5。

  3. Goto IIS 7.5 and turn on Feature Delegation for "Authentication - Anonymous" and "Authentication - Windows". 转到IIS 7.5并启用“身份验证 - 匿名”和“身份验证 - Windows”的功能委派。

  4. Create IIS application for your Forms based app 为基于Forms的应用程序创建IIS应用程序

  5. Right click on your newly created Forms app and 'Add Application'. 右键单击新创建的Forms应用程序和“添加应用程序”。 Set path to your NTLM authentication application, and the name to something like "IntranetAuthentication" 设置NTLM身份验证应用程序的路径,并将名称设置为“IntranetAuthentication”

  6. In browser access http://localhost/YourSite for forms authentication, and http://localhost/YourSite/IntranetAuthentication to see NTLM auth then passthru auth working back to main site 在浏览器访问http:// localhost / YourSite进行表单身份验证, http:// localhost / YourSite / IntranetAuthentication查看NTLM auth然后passthru auth返回主站点

At your company, direct intranet users to use the intranet logon. 在您的公司,直接Intranet用户使用Intranet登录。 Externally everyone uses regular forms authentication page. 外部人员使用常规表单身份验证页面。

解决方案2
 3  2011-12-06 08:07:47

如果您使用混合身份验证,为什么不通过上下文获取AD用户? 

  context.Request.ServerVariables["LOGON_USER"]

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在ASP.NET MVC中使用自定义登录页面进行Intranet Windows身份验证 - intranet windows authentication with with custom login page in ASP.NET MVC Asp.net MVC 3 Windows身份验证与登录表单 - Asp.net mvc 3 Windows Authentication with Login form ASP.NET MVC 和登录身份验证 - ASP.NET MVC and Login Authentication ASP.NET MVC Windows身份验证集成 - ASP.NET MVC windows authentication integration ASP.NET MVC Windows身份验证显示登录提示而不是登录 - ASP.NET MVC Windows Authentication is displaying login prompt instead of logging me in 有没有办法使用 Windows 身份验证注销并以其他用户身份登录? [ASP.NET Core 3.1 MVC] - Is there a way to sign out and login as another user using Windows authentication? [ASP.NET Core 3.1 MVC] ASP.NET MVC Windows身份验证在表单身份验证之上 - ASP.NET MVC Windows authentication on top of forms authentication ASP.NET MVC中的ServiceStack.NET Windows身份验证(NTLM) - ServiceStack.NET Windows Authentication (NTLM) in ASP.NET MVC ASP.Net MVC 5-OWIN身份验证登录重定向显示消息 - ASP.Net MVC 5 - OWIN Authentication login redirect display message 如何自定义ASP.NET MVC登录身份验证? - How to customize ASP.NET MVC Login Authentication?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM