当前位置: 文江博客话题详情

IIS7混合模式身份验证

发布于 2024-08-27 08:12:18 字数 708 浏览 9 评论 0原文

我们正准备开始将一些 IIS6 站点迁移到 IIS7,并且该应用程序当前使用表单身份验证。我们已开始收到来自各个站点的一些要求为用户使用 Windows 身份验证的请求。虽然这很容易实现(并且我已经在内部表明该应用程序没有问题,正如预期的那样),但问题是当集成 Windows 不起作用时如何继续保留表单身份验证。我已经看过几个关于如何在 IIS6 上配置它的演练,我可以在 IIS7 上执行相同的操作,但随后我必须打开经典模式处理。如果可能的话,任何解决方案都应该可移植到 IIS6,以保持构建树简单。

那么我对此有什么选择呢?我是否在 IIS7 中设置集成 Windows 身份验证、web.config 中的表单身份验证,并将 401 错误重定向到“错误页面”,允许他们使用表单登录,然后返回常规应用程序?

可能需要表格的情况将保留给合同工、我们的支持人员以及有人需要从外联网在其网站上访问表格的情况。因此,主要是供我们的员工登录以检查功能并确认错误报告。我建议我们保持这样的态度,为了让我们的支持人员正常工作,我们需要一个始终处于活动状态的 Windows 登录,然后我们将对谁可以登录该站点强制执行本地责任,但我被告知我们会这样做最好有表单身份验证。

有什么想法吗?我可以发布一些我已经阅读过的文章的链接,如果这有助于论坛更好地缩小我的需求。

tl;dr: 如何在 IIS7 中进行混合模式身份验证(表单、Windows)而不更改为经典管道,并且如果可能的话仍然能够使用 IIS6 中的构建。

原文

We're getting ready to start migrating some of our IIS6 sites to IIS7, and the application currently uses Forms Authentication. We have started getting some requests from various sites to use the Windows Authentication for the users. While this is easy enough to implement (and I've shown internally that there is no issue with the app, as expected) the question then is how to continue to keep Forms authentication for when Integrated Windows doesn't work. I've seen several walkthroughs on how to have it configured on IIS6, and I could do the same thing on IIS7, but then I have to turn on Classic Mode processing. Any solution should also be back portable to IIS6, if possible, to keep the build tree simple.

So what are my options on this? Do I setup the app with Integrated Windows Authentication in IIS7, Forms Auth in the web.config, and redirect 401 errors to an "error page" allowing them to login using forms, then back to the regular app?

The case when Forms is likely to be needed is going to be reserved for Contract workers, our support staff, and if someone needs to access it on their site from their Extranet. So primarily it's for our staff to login to check functionality and confirm bug reports. I suggested we just maintain that for our support staff to work, we need a Windows login that will always be live, and then we'll just enforce local responsibility on who can login to the site, but I'm told that we would do better to have Forms Authentication.

Any thoughts? I can post some of the links of the articles I've already read through if that would help the forum better narrow my needs.

tl;dr: How to do mixed mode authentication (forms, windows) in IIS7 without changing to classic pipeline and still be able to use the build in IIS6 if possible.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

浮生未歇 2024-09-03 08:12:18

不,这不太正确,但我不能在评论回复中执行代码块,所以我将发布一个新答案...

以下代码块允许我控制来自 IIS7 的匿名访问,而不必在配置数据库(其中应用 IIS6 上的 GUI 更改)

<location path="WindowsLogin.aspx" >
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

No, that's not quite right, but I can't do a code block in a comment reply, so I'll post a new answer ...

The following code block allows me to control anon access from IIS7 without having to muck about in the metabase (where GUI changes on IIS6 get applied)

<location path="WindowsLogin.aspx" >
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>
回复 原文
独孤求败 2024-09-03 08:12:18

感谢您回复我,我已经断断续续地研究了几个实现,我已经在互联网上读到了这些实现(javascript、401、2虚拟目录),但仍然没有真正找到任何东西这正如我想要的那样。我们可能会将其推广到多个客户端,每个客户端都具有不同的硬件/设置,甚至不同版本的 iis,因此希望它尽可能通用。我在几个建议的解决方案上遇到了困难......

当你说对于 IIS7+ 你在 Web 配置中删除了匿名访问时,我假设是这样的:-

<location path="Authent/WinLogin.aspx" > 
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
  </system.webServer>
</location>

thanks for getting back to me, I have been playing round with several of the implementations on and off for a few weeks now, that I've read about on the internet (javascript, 401, 2 virtual directories) but still havnt really found anything that works as I wanted. We will be potentially rolling it out to more than one client-each with different hardware/setups even different versions of iis, so wanted it to be as generic as possible. Ive come up against a brick wall on a couple of the suggested solutions...

when you say for IIS7+ you removed anon access in web config, I assume like this: -

<location path="Authent/WinLogin.aspx" > 
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
  </system.webServer>
</location>
回复 原文
想念有你 2024-09-03 08:12:18

我花了几天时间尝试让它工作,但略有不同...我希望第一个登录屏幕显示表单登录,并在“使用 Windows 身份验证登录”下方有一个按钮。

我最终放弃了所有这些技术,因为我永远无法获得令人满意的结果。我的解决方法如下,并且效果很好:

  • 创建一个单独的网站“LoginWithIntegratedSecurity”
  • 使用集成安全性进行设置
  • 该网站在数据库中创建一个临时“用户哈希密钥”,用于标识用户
  • 重定向回表单身份验证网站中的 LogonPage 表单身份验证中的 url
  • LogonPage 会检查哈希密钥,并在数据库检查后将用户登录

因此,如果用户单击“使用 Windows 身份验证登录”按钮,服务器将重定向到 Windows 身份验证站点(传递“ReturnUrl”) 。该站点挑战并登录用户,然后重定向回来,再次传递“ReturnUrl”以及 HashKey。

这一切发生得非常快,而且看起来非常无缝。

我知道这是一个很麻烦的解决方法,但对于我的情况来说它效果很好。

I spent a few days trying to get this to work, with a slight difference... I wanted the first login screen to present the forms login with an button underneath "Login With Windows Authentication".

I eventually gave up on all these techniques, as I never could quite get the satisfactory results. My workaround was as follows, and works perfectly:

  • Create a separate website "LoginWithIntegratedSecurity"
  • Set this up with integrated security
  • This web site creates a temporary "User Hash Key" in the database, which identifies the user
  • Redirects back to LogonPage in Forms Authentication website with Hash key in url
  • LogonPage in Forms Authentication checks for Hash key, and logs user in after database check

So if the User clicks the button "Login with windows Authentication", the server redirects to the windows authentication site (passing the "ReturnUrl"). This site challenges and logs in user, then redirects back, again passing the "ReturnUrl" as well as the HashKey.

This all happens very fast, and appears pretty seamless.

I know its a hacky workaround, but for my case it worked well.

回复 原文
~没有更多了~

关于作者

深白境迁sunset

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文