简体繁体 English

ADFS - Windows集成的OR Forms身份验证

[英]ADFS - Windows integrated OR Forms authentication

原文 2012-07-13 12:01:42 6 2 c#/ .net/ adfs

I'm configuring an ADFS Server and are trying to achieve user-friendly sign-on for our relying party applications. 我正在配置ADFS服务器，并正在尝试为我们的依赖方应用程序实现用户友好的登录。

Currently there are two relevant options as far as I know: 目前，据我所知，有两个相关选项：

Windows authentication : this works great as a single-sign-on provider, but provides a user-unfriendly pop-up if the user is not currently in the correct windows domain. Windows身份验证 ：这可以作为单点登录提供程序使用，但如果用户当前不在正确的Windows域中，则会提供用户不友好的弹出窗口。
Forms Authentication : this will always ask for a login method regardless of where the user is coming from. 表单身份验证 ：无论用户来自何处，都将始终要求登录方法。

My question here is, is it possible to satsify these requirements: 我的问题是，是否有可能满足这些要求：

If the user is logged in with the windows account, provide SSO 如果用户使用Windows帐户登录，请提供SSO
Otherwise, display the forms login page and let the user enter his windows credentials. 否则，显示表单登录页面并让用户输入他的Windows凭据。

2 个解决方案

Generically speaking, there is no programatic way of detecting if the user is on the domain or not from a website. 一般来说，没有编程方法来检测用户是否在网站上。 Because the moment your site is configured with Windows Auth (and disable Anonymous), an ntlm challenge is sent to the browser and the credentials prompt popup if you are not in the domain. 由于您的站点配置了Windows Auth（并禁用匿名），因此如果您不在域中，则会向浏览器发送ntlm质询并弹出凭据提示。

https://serverfault.com/questions/380302/can-i-detect-authenticated-domain-users-in-iis-asp-net-without-prompting-every https://serverfault.com/questions/380302/can-i-detect-authenticated-domain-users-in-iis-asp-net-without-prompting-every

The way you achieve that is with DNS and that's what ADFS recommends by introducing the proxy role. 您实现这一目标的方式是使用DNS，这是ADFS通过引入代理角色所建议的。 You will have the internal DNS resolving login.yourcompany.com to the internal ADFS which has windows auth enabled and the external DNS resolving login.yourcompany.com to the proxy ADFS role which has forms auth enabled. 您将内部DNS解析login.yourcompany.com到内部ADFS，其启用了Windows身份验证，外部DNS将login.yourcompany.com解析为具有启用了表单身份验证的代理ADFS角色。 So you need another server hosted on the DMZ so users outside the network/domain can reach it. 因此，您需要在DMZ上托管另一台服务器，以便网络/域外的用户可以访问它。

There is no way to do this with a single ADFS server unless you do some hack (ie not supported) having an artificial website on the same ADFS server bound to the external IP and that website has a redirect to "/adfs/ls/forms" 使用单个ADFS服务器无法执行此操作，除非您在同一ADFS服务器上绑定到外部IP并且该网站具有重定向到“/ adfs / ls / forms”的某个人工网站（即不受支持） “

More info about proxy and its setup http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx 有关代理及其设置的更多信息http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx

Matias 马蒂亚斯

您可能会发现它很有趣，可以根据浏览器通知的用户代理字符串进行表单身份验证或集成身份验证： https ： //blogs.ncl.ac.uk/isg/？p = 296