Thread.CurrentPrincipal.Identity 与 Active Directory 条目
在这个非常有用的总结中不同 IIS7 身份验证配置的身份 来自 Mike O'Brien,他概述了 IIS 7 如何处理不同设置的身份验证(我找不到 IIS 6 的类似摘要,这是我们正在使用的版本)。
我们已将身份验证设置为集成 Windows 身份验证;匿名访问已关闭,并且我没有使用模拟。 asp.net 应用程序位于 Intranet 中,但我无法控制(并且知之甚少)有多少个域、它们如何相互交互等。根据上面的文章,我应该为所有三个获得相同的用户信息:
Thread.CurrentPrincipal.Identity
HttpContext.Current.User.Identity
Request.LogonUserIdentity
我确实获得了正确的用户,但大小写与 AD 名称不同。所以我的问题是:如果
Thread.CurrentPrincipal.Identity
(我正在使用的)给出了正确的 AD 名称,但显示了与 AD 不同的大小写,则很可能是 Thread.CurrentPrincipal.Identity、Intranet/domain 设置或差异的问题IIS 6 和 IIS 6 之间IIS 7?
(对这个问题的模糊性表示歉意:我只是想寻找建议,以便最好地查看和/或输入关于使用 Thread.CurrentPrincipal.Identity 是否存在本质上不明智的内容)。
编辑: IIS 6 更新 - 根据此链接
http://msdn.microsoft.com/en-us/library/aa302377.aspx
我也应该获得 IIS 6 的 DOMAIN\username ,所以没有区别。该问题是否与 Kerberos/NTLM 与 IIS 的交互方式有关?
编辑#2:问题可以这样总结:
我在AD中显示为例如DOMAIN\joebloggs。我以 joebloggs 身份登录。但我使用 Thread.CurrentPrincipal.Identity 从(成功)身份验证中返回的凭据显示 DOMAIN\JoeBloggs。那可能是从哪里来的?
In this extremely helpful summary Identities for different IIS7 Authentication Configurations from Mike O'Brien, he gives an overview of how IIS 7 deals with authentication for different settings (I couldn't find a similar summary for IIS 6, which is the version we are using).
We have set the authentication to Integrated Windows Authentication; anonymous access is turned off and I am not using impersonation. The asp.net app sits in an intranet, but I have no control (and very little knowledge) of how many domains there are, how they interact with each other etc.etc. According to the article above I should get the same user information for all three of:
Thread.CurrentPrincipal.Identity
HttpContext.Current.User.Identity
Request.LogonUserIdentity
I do get the correct user, but the casing is different from the AD name. So my question is: if
Thread.CurrentPrincipal.Identity
(which is what I am using) gives the right AD name, but displays a different casing to AD, is that most likely an issue with Thread.CurrentPrincipal.Identity, with the intranet/domain settings, or differences between IIS 6 & IIS 7?
(apologies for the vague nature of this question: I'm just trying to look for suggestions as where best to look and/or input as to whether there is something inherently unwise about using Thread.CurrentPrincipal.Identity).
EDIT: update for IIS 6 - according to this link
http://msdn.microsoft.com/en-us/library/aa302377.aspx
I should be getting DOMAIN\username for IIS 6 as well, so no difference there. Could the issue be related to how Kerberos/NTLM interact with IIS?
EDIT #2: The problem can be summarised thus:
I am displayed as e.g. DOMAIN\joebloggs in AD. I logged in as joebloggs. But the credentials I get back from a (successful) authentication using Thread.CurrentPrincipal.Identity show DOMAIN\JoeBloggs. Where could that be coming from?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在这种情况下,用户名由客户端提供。身份验证机制验证身份是否可以确认,但它不会将用户提供的名称替换为 AD 中存储的名称,因此没有理由期望大小写匹配。
The user name in this case is supplied by the client. The authentication mechanism verifies that the identity can be confirmed, but it does not replace the user-supplied name with the as-stored name from AD, so there is no reason to expect the casing to match.
事实证明,我没有从客户端站点获得准确的信息:即身份验证正在按照我理解的方式进行(即 ASP.Net:从 AD 查找并返回;ASP:移交给IIS),意外的大小写是由于缓存问题而不是身份验证机制造成的。
It turns out that I was not getting accurate information from the client site: i.e. the authentication is happening the way I had understood it (i.e. ASP.Net: lookup and return from AD; ASP: handed off to IIS) and the unexpected casing was down to caching issues and not down to the authentication mechanism.