现有 .net Web 应用程序需要更改身份验证
[英]Existing .net web application needs to change authentication
问题描述
I inherited an existing .net web application.
我继承了现有的 .net Web 应用程序。 It is an external website that is used by external users and internal users.它是一个供外部用户和内部用户使用的外部网站。 To login/authenticate internal users, it uses LDAP authentication.为了登录/验证内部用户,它使用 LDAP 验证。 External users goes to a different DB.外部用户转到不同的数据库。
My IT department wants to change the way internal users login.我的 IT 部门想要改变内部用户登录的方式。 They do not want to allow an external server to be able to access the AD using LDAP.他们不想让外部服务器能够使用 LDAP 访问 AD。 Is there a more secure method to access the AD from an external server?是否有更安全的方法从外部服务器访问 AD? Or is that not recommended at all?或者根本不推荐这样做?
Also, is the design of the login flawed?另外,登录的设计有缺陷吗? Should internal and external users be logging in the same way?内部和外部用户是否应该以相同的方式登录? What is considered best practice for logging in users?登录用户的最佳实践是什么?
1 个解决方案
解决方案1
2 已采纳 2012-12-06 21:24:38
You could use ADFS (Active Directory Federation Services) for this.您可以为此使用 ADFS(Active Directory 联合服务)。
This will require you to install an ADFS server inside of your network (so it can contact the AD).这将要求您在网络内安装 ADFS 服务器(以便它可以联系 AD)。
The ADFS Server contains a web based STS (Security Token Service) to allow web pages to login using an AD account. ADFS 服务器包含基于 Web 的 STS(安全令牌服务),以允许网页使用 AD 帐户登录。
Basicly in a nutshell it will work as following:简而言之,它的工作原理如下:
- Your user navigates to the external Web Application您的用户导航到外部 Web 应用程序
- The Web Application will redirect the user to the ADFS STS server. Web 应用程序会将用户重定向到 ADFS STS 服务器。
- ADFS STS Server will verify your credentials (either by using integrated security or a web based login box) ADFS STS 服务器将验证您的凭据(通过使用集成安全性或基于 Web 的登录框)
- If the ADFS STS Server is happy abou the credentials it will then redirect the user back to the external Web Application with a login token as extra information.如果 ADFS STS 服务器对凭据感到满意,它将使用登录令牌作为额外信息将用户重定向回外部 Web 应用程序。 This token contains information about the user (can be configured).此令牌包含有关用户的信息(可以配置)。 It is signed by the ADFS server (to ensure the information is authentic) and can optionally be encrypted.它由 ADFS 服务器签名(以确保信息真实)并且可以选择加密。
- The external web application extracts the token and tests the signature.外部 Web 应用程序提取令牌并测试签名。 If it is all correct the Web Application will grand the permissions that the user should have.如果一切正确,Web 应用程序将授予用户应具有的权限。
For information to set this up in an ASP.NET application you could refer to the following url: http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx有关在 ASP.NET 应用程序中进行设置的信息,您可以参考以下 URL: http : //blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-意识到asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.