匿名之前的 IIS Windows 身份验证

发布于 2024-08-18 10:18:23 字数 191 浏览 6 评论 0原文

我有一个网站,我希望同时允许表单和 Windows 身份验证。我的问题是,当您将 IIS 设置为允许匿名(表单身份验证所需)和 Windows 身份验证时,浏览器似乎不会发送用户的网络凭据。

它只是使用匿名登录。在 IE8 或 IIS 中是否有任何方法可以让它尝试 Windows Auth 1st,然后回退到匿名?

感谢您的任何帮助。

I have a website that I would like to allow both Forms and Windows Auth for. My problem is that it seems that when you setup IIS to allow both anonymous (Required for forms auth) and Windows auth that the browser won't send the user's network credentials.

It just uses the anonymous login. Is there any way either in IE8 or IIS to have it try Windows Auth 1st and then fall back to Anonymous?

Thanks for any help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

美人迟暮 2024-08-25 10:18:24

在尚无凭据的情况下,如果不弹出身份验证对话框,您就无法请求 HTTP 身份验证(无论是基本身份验证还是集成 Windows 身份验证)。

因此,一般来说,对于混合 HTTP-auth+cookie-auth 方法,您可以对站点的大部分内容启用匿名访问和经过身份验证的访问,但只允许对一个特定脚本进行经过身份验证的访问。

当用户访问没有任何一种身份验证的页面时,您会弹出一个页面,其中包含用于基于 cookie 的身份验证的登录表单,以及指向仅允许经过身份验证的访问的 URL 的链接。用户可以填写 cookies&forms auth 表单,或者点击链接使用 HTTP auth 登录。

如果用户点击该链接,他们将收到 401 响应,并且必须通过身份验证对话框或可能自动使用集成 Windows 身份验证提供 HTTP 身份验证。一旦发生这种情况,浏览器将开始向以后的每个页面提交相同的凭据,因此 IIS 将解码凭据,以便在运行主站点脚本时为您提供预期的 REMOTE_USER

浏览器只会将凭据提交到与 401 脚本位于同一目录或其子目录中的页面。因此,最好将 HTTP 身份验证所需的脚本放在根目录中,例如 /login.aspx

但是,有一些浏览器不会自动提交更多页面的凭据,并且要求每个 HTTP 请求首先响应 401,然后再使用凭据再次发送请求。这使得可选身份验证和混合身份验证方案变得不可能(并且使受保护站点的浏览速度慢得多!)。唯一执行此操作的现代浏览器是 Safari。您可能不在乎,因为 Safari 对集成 Windows 身份验证的支持传统上一直不稳定,而且它仍然可以使用 forms+cookies 身份验证类型。

You can't ask for HTTP authentication (whether that's Basic Authentication or Integrated Windows Authentication) without causing the authentication dialogue box to pop in the case where there are no credentials yet.

So in general for hybrid HTTP-auth+cookie-auth approaches you enable both anonymous and authenticated access for the bulk of the site, but allow only authenticated access to one particular script.

When the user accesses a page without either kind of auth, you spit out a page with a login form for the cookie-based auth, and also a link to the one URL that allows only authenticated access. The user can fill out the form for cookies&forms auth, or hit the link to log in with HTTP auth instead.

If the user follows that link, they will be given a 401 response and must provide HTTP authentication, either through the auth dialog, or potentially automatically using integrated Windows authentication. Once this has happened once, the browser will start submitting the same credentials to every future page, so IIS will decode the credentials to give you the expected REMOTE_USER when your main site scripts are run.

Browsers will only submit the credentials to pages in the same directory as the 401 script, or subdirectories of this. For this reason it is best to put the HTTP-auth-required script in the root, for example as /login.aspx.

However, there are a few browsers that won't automatically submit credentials for further pages, and require every HTTP request to respond 401 first, before sending the request again with credentials. This makes optional-auth and hybrid-auth schemes impossible (as well as making browsing of protected sites much slower!). The only modern browser that does this is Safari. You may not care, as Safari's support for Integrated Windows Authentication has traditionally been shaky anyway, and it can still use the forms+cookies auth type.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文