是否可以将 ASPNet 应用程序中经过 Windows 身份验证的用户限制为特定域?
我正在将一个经典的 ASP 应用程序拉入 Mvc2。我将部署到 Intranet,并被要求启用对 Windows 身份验证的支持。我将部署到的网络有几个 AD 域,我只需要与一个特定的域集成。是否可以使用 Windows 身份验证并仅允许特定域内的身份验证?
同样,用户在多个域中拥有帐户的情况并不少见(帐户名称本身通常是不同的) - 如果用户使用“不受支持”的域登录,我想将他们踢到登录表格。仅使用 Windows Auth 就可以做到这一点,还是我最好寻找替代方案?
I'm in the process of pulling a classic ASP app into Mvc2. I'll be deploying to an intranet and have been asked to enable support for Windows Authentication. The network I'll be deploying to has a few AD Domains and I'll only need to integrate with one in particular. Is it possible to use Windows Authentication and only allow authentication within a particular domain?
Along those same lines, it's not uncommon for a user to have an account in multiple domains (the account names themselves are typically different) - in the event a user logs in with an "unsupported" domain I'd like to kick them to a login form. Is this possible simply using Windows Auth or am I better off looking for an alternative?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
专业提示:
无论您做什么,都不要通过 IIS 实施 Windows 身份验证。您的 MVC 应用程序中有一个表单身份验证页面,但使用 LDAP 身份验证提供程序。这样您就可以避免浏览器实现 Windows 身份验证方式之间的差异(仅在 IE 中运行良好,这不是一个很好的原因)。
Pro Tip:
Whatever you do don't implement Windows Authentication via IIS. Have a Forms Authentication page in your MVC app but use the LDAP authentication provider. This way you avoid the differences between how browsers implement Windows Authentication (only works well in IE and that's not a great reason).
问题“是否可以使用 Windows 身份验证并仅允许在特定域内进行身份验证?”在我的咨询经验中始终有一个且只有一个答案:答案是您为经过身份验证的资源设置的权限。
我很少发现部署中没有某些文件、文件夹、服务器、COM+ 对象、SQL 角色或数据库表无法“锁定”以仅允许您的目标用户子集访问(例如“DOMAIN\Domain Users”):
The question "Is it possible to use Windows Authentication and only allow authentication within a particular domain?" has always has one and only one answer in my consulting experience: the answer is the permissions that you set for authenticated resources.
I've rarely found a deployment where there isn't some file, folder, server, COM+ object, SQL Role or database table that can't be "locked down" to only allow access by the subset of users you're targeting (e.g. "DOMAIN\Domain Users"):