如何说服 Internet Explorer 允许以其他用户身份进行身份验证？

发布于 2024-10-04 12:43:16 字数 1079 浏览 1 评论 0原文

感谢您的阅读和您的想法；这是一个棘手的问题，所以我想我应该分享一下，看看这对于比我们更有经验的开发人员来说是否真的是一个公平的挑战。

我们正在为企业 Microsoft Active Directory 环境开发一个 Web 应用程序，并使用 IIS 提供的 Windows 身份验证以及表单身份验证来对用户进行单点登录身份验证。我知道当两者都启用时 IIS 会抱怨，但它工作得很好，而且我们部署的每个站点都没有需要解决的奇怪问题 - 直到现在。

新站点拥有“共享”计算机，使用通用帐户永久登录，该帐户对他们需要使用的应用程序具有只读访问权限。这意味着我们无法区分应该对应用程序具有不同权限的用户；我们需要某种方式提示用户输入身份验证详细信息。

第一次尝试是认真的谷歌搜索；世界上似乎没有其他人遇到我们的问题，除了一些被误导的灵魂，他们向以太提出问题但没有得到回应。

经过一番集思广益并弄清楚 IIS 身份验证的工作方式后，解决该问题的最直接方法似乎是发出 401 Unauthorized 来响应已知为共享帐户的用户。这里的初步测试似乎卓有成效，在浏览器内成功更改了用户名，但是该网站的原型没有提示输入凭据，并且浏览器保留了相同的帐户详细信息。我们还研究了 IE 特定的 JavaScript

document.execCommand("ClearAuthenticationCache")

，它在实验室中工作，但在现场却不起作用。现场对 IE 安全设置的进一步实验表明，如果 webapp 站点被排除在 Intranet 区域之外，浏览器将自动重新进行身份验证，无论使用何种方法欺骗浏览器提示用户输入新帐户详细信息。

现在我们被困住了。我们有解决方法可以让其按时进行，但它们绝对不是“正确”的答案：

要求用户在登录我们的应用程序之前注销共享帐户（...恶心）
从 Intranet 中排除我们的 Web 应用程序所有计算机上的区域都
为用户提供非 SSO 登录服务，

我相信有一种规范的方法可以做到这一点 - 一种已知的模式，一个已经解决的常见基本问题，类似的东西 - 我非常感兴趣听听有哪些创造性的方法可以解决此类问题，以及是否有其他人实际上曾经经历过类似的事情。

原文

Thanks for reading and for your thoughts; this is a hairy problem, so I thought I'd share to see if it is actually a fair challenge for more seasoned developers than ourselves.

We're developing a web application for a corporate Microsoft Active Directory environment, and we use Windows Authentication provided by IIS to authenticate users for single-sign-on, alongside Forms Authentication. I know IIS complains when both are enabled, but it works very well, and every site we've deployed at has had no weird quirks to work around - until now.

The new site has "shared" machines, logged in permanently with a generic account that has read-only access to the applications they need to use. This means that we can't differentiate between users who should have different permissions to the application; we need some way of prompting the user for authentication details.

First try was some serious googling; nobody else in the world seemed to have our problem except for a few misguided souls who had asked questions into the ether and received no response.

After a bit of brainstorming and nutting out the way IIS's authentication works, it seemed that the most straightforward way to approach the problem was to issue a 401 Unauthorized in response to a user known to be a shared account. Initial tests here seemed fruitful, yielding successful changes of username inside the browser, however a prototype at the site did not prompt for credentials, and the browser kept the same account details. We also hit on the IE-specific javascript

document.execCommand("ClearAuthenticationCache")

which, again, worked in the lab but not onsite. Further experiments with IE security settings onsite revealed that the browser would automatically reauthenticate if the webapp site was excluded from the Intranet Zone, regardless of the method used to trick the browser into prompting the user for new account details.

Now we're stuck. We've got workaround options for getting it going on time, but they're definitely not the "right" answers:

require users to log out of the shared account before logging into our app (...yuck)
exclude our webapp from Intranet Zone on all machines
provide a non-SSO login service for users

I'm convinced that there's a canonical way to do this - a known pattern, a common base problem that's already been solved, something like that - and I'm very interested to hear what sort of inventive methods there are to solve this sort of problem, and if anyone else has actually ever experienced anything remotely like it.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

往日情怀 2024-10-11 12:43:16

我们最终确定了一个解决方案，将查询提交到服务器知道的 LDAP 目录。这意味着必须接受用户的密码，但没有其他解决方案足以在生产环境中运行。

希望这对某人有帮助。需要 .NET Framework 3.5+。

using System.DirectoryServices.AccountManagement;

private static bool IsLdapAuthenticated(string username, string password)
{
    PrincipalContext context;
    UserPrincipal principal;

    try
    {
        context = new PrincipalContext(ContextType.Domain);
        principal = Principal.FindByIdentity(context, IdentityType.SamAccountName, username) as UserPrincipal;
    }
    catch (Exception ex)
    {
        // handle server failure / user not found / etc
    }

    return context.ValidateCredentials(principal.UserPrincipalName, password);
}

We ended up settling on a solution that submits a query to the LDAP directory the server knows about. It means having to accept the user's password, but no other solution was solid enough to run in a production environment.

Hopefully this helps someone. .NET Framework 3.5+ required.

using System.DirectoryServices.AccountManagement;

private static bool IsLdapAuthenticated(string username, string password)
{
    PrincipalContext context;
    UserPrincipal principal;

    try
    {
        context = new PrincipalContext(ContextType.Domain);
        principal = Principal.FindByIdentity(context, IdentityType.SamAccountName, username) as UserPrincipal;
    }
    catch (Exception ex)
    {
        // handle server failure / user not found / etc
    }

    return context.ValidateCredentials(principal.UserPrincipalName, password);
}

回复收藏 0 原文