使用 IIS7 中的 Forms Auth 和 Windows Auth 锁定站点
我已将其发布在 服务器故障,但由于它涉及编程方面,我也会将其发布在这里。
我有一个使用表单身份验证的 ASP.NET MVC 1.0 应用程序。我们使用的是 Windows Server 2008。我需要锁定该站点,以便只有某些用户(在 AD 组中)可以访问该站点。但不幸的是,当我将站点设置为不允许匿名用户并使用 Windows 身份验证时,由于站点和 IIS 的集成,它显示用户已以其域帐户登录,而不是允许他们通过表单登录授权。
所以,我需要混合模式身份验证。我需要该网站只能通过 Windows 身份验证访问,没有匿名用户,但是一旦您进入,它只需要使用表单身份验证。我该如何以正确的方式做到这一点?
编辑:
这是一个澄清。该网站必须像这样工作。
- 您转到该 URL,然后会弹出 Windows 身份验证登录。您使用具有访问权限的域帐户登录。如果您无权访问,则会显示 401 错误。
- 如果您有访问权限,您就访问了该网站。但是,该网站不使用您的 Windows 身份验证用户名。它使用表单 Auth。因此,您必须使用表单身份验证登录该网站。
问题是,当我将其设置为执行步骤 1 时,它在步骤 2 中使用您的 Windows 用户名。我不希望它这样做。
I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.
I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
EDIT:
Here's a clarification. The site must work like this.
- You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
- If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.
The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这里的技巧是将身份验证的提供程序更改为使用 Active Directory,而不是将设置更改为 Windows。
或者,使用以下提供程序的版本:
使用以下连接字符串的版本:
授权方面,您有一些选择。如果它基于域组,那么您需要连接 azman。如果它是应用程序控制的,您需要将 AD 用户与数据库存储的角色对齐。
PS:我很擅长 LDAP 连接字符串,你可能可以用它做比我更多的事情。
嗯,看来我回答了错误的问题。为了后代的缘故,我将保留这一点,但您应该尝试禁用该站点的匿名身份验证。
Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.
Or, use a version of the following provider:
With a version of the following connection string:
Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.
PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.
Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.
我在这里找到了答案:
IIS7 和身份验证问题
简而言之,在 IIS 7 中,您无法像 IIS 6 那样进行两层身份验证。
I found my answer here:
IIS7 and Authentication problems
The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.