将表单身份验证与 Windows 身份验证混合使用

发布于 2024-08-21 11:00:38 字数 391 浏览 6 评论 0原文

我有一个 (ASP.NET 3.5) Intranet 应用程序,它被设计为使用表单身份验证(以及默认的 aspnet 会员系统)。我还将有关用户的附加信息存储在另一个表中,该表与 aspnet_users 表共享其主键。

对于属于我们域的用户,我将其域帐户名存储在辅助用户表中,并且我希望自动登录其域帐户名与表中存储的名称匹配的用户。

我已阅读可用的指南 - 它们都是两年前或更长时间的,并且假设您能够在单独的登录页面上激活 Windows 身份验证,该登录页面允许您提取域帐户名。但据我所知,这在 IIS7 中是不可能的(整体身份验证方法应用于所有页面,不能有选择地停用,并且两种身份验证方法不能应用于同一页面)。

有没有办法让IIS通过请求用户的Windows域帐户名?我不需要正确的 AD 身份验证,只需要域名。

I have an (ASP.NET 3.5) intranet application which has been designed to use forms authentication (along with the default aspnet membership system). I also store additional information about users in another table which shares its primary key with the aspnet_users table.

For users who are part of our domain I store their domain account name in the secondary users table, and I want to automatically log in users whose domain account name matches a name stored in the table.

I have read the guides which are available - they're all from two years ago or more and assume that you are able to activate Windows Authentication on a separate login page that allows you to extract the domain account name. From what I can tell, though, this is not possible in IIS7 (the overall authentication method is applied on all pages and cannot be selectively deactivated, and both authentication methods can't be applied on the same page).

Is there a way of getting IIS to pass through the windows domain account name of the requesting user? I don't need proper AD authentication, just the domain name.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

末骤雨初歇 2024-08-28 11:00:38

事实上,你可以做到。 @dr_draik 有点晚了,但这突然出现在我的谷歌结果中,所以我想我应该分享一些知识。

如果您处于经典模式 - 启用 Windows 和表单身份验证。您会收到一条警告,提示您无法同时执行这两项操作,但您可以忽略它。然后,您可以探索各种属性,例如
代码:

HttpContext.Current.Request.ServerVariables["LOGON_USER"]

并从中获取用户名。

如果您处于集成模式 - 4021905 IIS7 基于质询和基于登录重定向的身份验证无法同时使用 导致 IIS 7.0 使用表单身份验证和 Windows 身份验证进行两级身份验证,该模块允许您有选择地更改不同页面的身份验证。

Actually, you can do it. Bit late for @dr_draik, but this cropped up in a google result for me so I thought I'd share some knowledge.

If you're in classic mode - Enable both Windows and Forms auth. You'll get a warning about not being able to do both at once, but you can ignore it. Then, you can spelunk around various properties like
Code:

HttpContext.Current.Request.ServerVariables["LOGON_USER"]

and fish the username out of there.

If you're in integrated mode - 4021905 IIS7 Challenge-based and login redirect-based authentication cannot be used simultaneiously leads to IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication which is a module that allows you to selectively change the auth for different pages.

〗斷ホ乔殘χμё〖 2024-08-28 11:00:38

您始终可以在 IIS7 中设置 2 个单独的应用程序。需要启用 Windows 身份验证。另一个是具有表单身份验证的主应用程序。如果用户访问 Windows 身份验证应用程序,该页面可以获取他们的凭据并将其传递给表单身份验证应用程序。

You could always set up 2 separate application in IIS7. One would have Windows Authentication enabled. The other would be the main app with forms authentication. If a user went to the windows authentication app, the page could grab their credentials and pass it to the forms authentication app.

夜司空 2024-08-28 11:00:38

(更多的是为了信息的完整性)

不久前,我在一次会议上向一位 .Net 安全人员提出了这个问题。他的回答是,这在技术上是可行的,但他从未见过它被完成(并让他知道我是否做到了并且它有效!)。

他建议可以通过制作自己的 ISAPI 过滤器并将其安装到 IIS 中来完成此任务。 ISAPI 过滤器将拦截请求,并基本上完成 IIS 在使用集成身份验证时所做的工作,但如果不存在,则回退到使用表单。这涉及过滤器中一些复杂的质询/响应逻辑。不过这是针对 IIS6 的,因此在 IIS7 中可能会有所不同。

虽然这在技术上可能是可行的,但我不会建议采用这种方法,因为它感觉有点像黑客,并且滚动自己的安全性从来都不是一个真正的好主意(除非您真的< /em> 知道你在做什么)。

(More for completeness of information really)

I asked a .Net security guy this question at a conference a while back. His response was that it is technically possible, but he'd never seen it done (and to let him know if I did it and it worked!).

He suggested the way it could be done was by making your own ISAPI filter and installing it into IIS. The ISAPI filter would intercept the requests and basically do the job that IIS does when using integrated authentication, but fall back to using forms if this was not present. This involved some complicated challenge/response logic in the filter. This was for IIS6 though, so it might be different in IIS7.

Whilst this might be technically possible, I wouldn't suggest this route as it feels like a bit of a hack, and rolling your own security is never really a good idea (unless you really know what you are doing).

鹊巢 2024-08-28 11:00:38

有很多文章介绍通过设置配置来使用允许匿名访问应用程序的表单来混合身份验证。其次,应创建一个用于集成身份验证的页面,并将 IIS 设置设置为拒绝匿名并使用集成身份验证。在那里,您可以通过检查请求的 ServerVariables 集合的“Logon_User”变量来实现魔术。最后,为了让集成身份验证以静默方式登录用户,它必须具有简短的托管名称。因此,如果您的表单身份验证部分通过 FQDN 暴露到互联网,则应该有某种重定向到短主机页面。我认为在IIS下只用一个应用程序和2个虚拟目录就可以实现。

There are plenty articles on mixing the authenticaton by setting config to use the forms with allowing anonymous access to the app. Secondly, a page for integrated auth should be created with IIS settings set to deny anonymous and use Intgrated Authentication. There you would the magic trick by checking the "Logon_User" variable of the requets's ServerVariables collection. And finally for integrated authentication to silently sign in the user it has to have short hosted name. So if your forms authentication piece is exposed to internet via FQDN there should be some kind of redirect to the short host page. I think it is possible to achieve with just one application under IIS with 2 virtual directories.

叶落知秋 2024-08-28 11:00:38

我找到了一个不使用特殊附加组件的解决方案。这很棘手,需要将此处引用的所有页面中的元素拼凑在一起。
我发布了有关它的文章: http:// low-bandwidth.blogspot.com.au/2014/11/iis7-mixed-windows-and-forms.html

本质上,必须启用表单、窗口和匿名身份验证。
登录屏幕应该基于表单,并包含一个触发 Windows 登录的按钮,该按钮会发出 HTTP 401 响应质询,如果成功,则会创建基于表单的登录票证。

问题相当复杂,这篇文章详细介绍了原理和解决方案。

I found a solution using no special add-ons. It was tricky and involved cobbling together elements from all the pages referenced here.
I posted about it: http://low-bandwidth.blogspot.com.au/2014/11/iis7-mixed-windows-and-forms.html

In essence, forms, windows and anon authentication have to be enabled.
The login screen should be forms based, and contain a button to trigger Windows login, that issues an HTTP 401 response challenge which if successful creates a forms based login ticket.

The issues are rather complex, and the post goes through the principles and the solution in detail.

木格 2024-08-28 11:00:38

不幸的是,您尝试做的事情不受支持。为了让 ASP.NET 知道 Windows 用户名,您必须使用 Windows 身份验证。

您可以设置另一个站点/虚拟目录,将用户名信息转发到另一个页面。但是,当非 Windows 身份验证的用户尝试登录时会发生什么情况?

Unfortunately, what you are trying to do just isn't supported. In order for ASP.NET to know the Windows username, you must use Windows Authentication.

You could set up another site / virtual directory that just forwarded the username information to another page. But what happens when non-Windows authenticated users try to log in?

梦萦几度 2024-08-28 11:00:38

我有一些你可以尝试的东西 - 不确定它是否有效。

过去我们使用过Request.ServerVariables["LOGON_USER"],但显然要返回非空值,您需要禁用匿名访问。

请参阅此文章:http://support.microsoft.com/default.aspx/kb/ 306359

建议在 IIS 端保留匿名访问和 Forms 身份验证,但拒绝匿名用户,如下所示:

<authorization>
   <deny users = "?" /> <!-- This denies access to the Anonymous user -->
   <allow users ="*" /> <!-- This allows access to all users -->
</authorization>

I've got something you can try - not sure if it will work.

In the past we've used Request.ServerVariables["LOGON_USER"] but obviously for this to return a non-empty value you need to disable Anonymous access.

See this article: http://support.microsoft.com/default.aspx/kb/306359

It suggests keeping Anonymous access on the IIS side, and Forms authentication, but denying the anonymous user as follows:

<authorization>
   <deny users = "?" /> <!-- This denies access to the Anonymous user -->
   <allow users ="*" /> <!-- This allows access to all users -->
</authorization>
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文