使用SQL Server中的配置文件对Active Directory进行ASP.NET MVC和WCF身份验证/授权
[英]ASP.NET MVC and WCF authentication/authorization against Active Directory with profiles in SQL server
问题描述
I have an intranet application, which can also be accessed from internet by clients. 
我有一个Intranet应用程序,客户端也可以从Internet访问它。 What I need to do is provide users that access it from the internet a login form to enter credentials and validate them against AD. 我需要做的是为从Internet访问它的用户提供一个登录表单,以输入凭据并根据AD对其进行验证。 Users that access this app from intranet should be logged in automatically. 从Intranet访问此应用程序的用户应自动登录。
As I know I can't mix two authentication types in ASP.NET projects. 据我所知,我不能在ASP.NET项目中混用两种身份验证类型。 So I need to use FormsAuthentication with ActiveDirectoryMembershipProvider to authenticate users. 因此,我需要将FormsAuthentication与ActiveDirectoryMembershipProvider一起使用来对用户进行身份验证。 But what about profiles? 但是个人资料呢? I need to select profiles based on user's group (ie if it's a manager load profile from managers table, if it's a customer - from customer table). 我需要根据用户组选择配置文件(即,如果它是来自经理表的经理负载配置文件,如果是客户-来自客户表)。
The second problem is that I need to use authenticated persons credentials to access WCF services. 第二个问题是我需要使用经过身份验证的人员凭据来访问WCF服务。 And determine what they can/can't do based on their group membership. 并根据组成员身份确定他们可以/不可以做的事情。
Is using FormsAuthentication correct way to do this or I need to look somewhere else? 是使用FormsAuthentication的正确方法来执行此操作,还是需要查看其他地方?
I use EF code-first approach to create database. 我使用EF代码优先的方法来创建数据库。 Services are implemented as WCF services. 服务被实现为WCF服务。 The app itself is an ASP.NET MVC site. 该应用程序本身是一个ASP.NET MVC网站。 But in far far future I will need WP7 client. 但是在不久的将来,我将需要WP7客户端。
1 个解决方案
解决方案1
1 已采纳 2011-12-08 22:05:01
We had a set of similar requirements and the way that we approached it was to implement the authentication and profile management ourselves and, once a user was authenticated, using FormsAuthentication for site security. 我们有一系列类似的要求,而我们要实现它的方式是自己实施身份验证和配置文件管理,并且在对用户进行身份验证之后,使用FormsAuthentication来实现站点安全。
For scenarios where the user name and password are provided (login form, wcf client), you can call the LogonUser method. 对于提供用户名和密码的方案(登录表单,wcf客户端),可以调用LogonUser方法。 Once the user is authenticated, you can use their authenticated user name in FormsAuthentication. 用户通过身份验证后,可以在FormsAuthentication中使用其身份验证的用户名。
The scenario where the user should automatically be signed on will be slightly more complicated because you will have to have anonymous authentication available on the main site in order to support manual logins. 自动登录用户的场景会稍微复杂一些,因为您必须在主站点上具有匿名身份验证才能支持手动登录。
The way that we resolved this was to add a separate web application as a subdirectory of the main application and configured this sub application to only support windows authentication. 我们解决此问题的方法是将一个单独的Web应用程序添加为主应用程序的子目录,并将该子应用程序配置为仅支持Windows身份验证。 When this portal is hit by internal users, we pickup their AD login from Request.ServerVariables("logon_user"), encrypt it with a token that is good for 5 seconds, then Response.Redirect the user to the main application with the encrypted network login in the query string. 当内部用户访问此门户时,我们从Request.ServerVariables(“ logon_user”)获取他们的AD登录名,使用有效5秒钟的令牌对其进行加密,然后响应。使用加密的网络将用户重定向到主应用程序登录查询字符串。
If the main application sees this parameter in the query string, it decrypts it, validates it is within the allowable timespan, then uses this credential to log the user on using FormsAuthentication (it may sound like a lot, but the description actually takes up more space than the code). 如果主应用程序在查询字符串中看到此参数,则将其解密,验证它是否在允许的时间跨度内,然后使用此凭据使用FormsAuthentication登录用户(这听起来可能很多,但实际上占用了更多描述空间比代码)。
Hopefully this will give you some ideas. 希望这会给您一些想法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.