通过 Active Directory 计算机组限制对 .Net 网站的访问

发布于 2024-10-06 18:40:11 字数 285 浏览 5 评论 0原文

我们正在考虑进行基于机器的身份验证,允许特定机器上的任何用户访问我们的 .Net 站点。计算机列表将会更改,但都位于内部网络上。假定它们的 IP 地址不是静态的。

为了使其更易于管理,我们希望能够限制对 Active Directory 计算机组的访问。

我可以管理 AD 查询,我的问题是提取计算机名称并验证整个会话的最佳位置在哪里?

我考虑创建一个新的 HttpModule,但似乎我必须进行身份验证每一个请求。如果涉及 AD 查询,对每个请求进行身份验证似乎并不理想。

We're looking into doing machine-based authentication, allow any user on particular machines to access our .Net site. The list of machines will change but are all on an internal network. Their IP addresses are assumed to not be static.

To make it more manageable we'd like to be able to restrict access to an Active Directory computer group.

I can manage the AD querying, my question is where is the best place to pull out the machine name and authenticate the entire session?

I looked into creating a new HttpModule but it seems I'll have to authenticate every request. Authenticating every request doesn't seem ideal if an AD query is involved.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

是你 2024-10-13 18:40:11

网络是无状态的,因此无论您使用什么技术,每个请求都始终经过身份验证。然而,不攻击 AD 的技巧是使用会话 http cookie。您可以在第一个请求中设置此 cookie,并在后续请求中检查它。您需要对 cookie 进行某种加密保护,但幸运的是,这在 ASP.NET 中已准备就绪。我想说,您可以利用表单身份验证基础设施来设置和验证 cookie - 您只需将初始身份验证卸载到 AD,而不是从发布的表单中读取。

这是一个很好的起点:

了解表单身份验证票证和 Cookie
http://support.microsoft.com/kb/910443

The web is stateless, so every request is always authenticated no matter what technology you're using. However, the trick to not hammering AD is using a session http cookie. You would set this cookie on the first request and check for it on subsequent requests. You would need some kind of cryptographic protection on the cookie, but thankfully this is ready-rolled in ASP.NET. I'd say you could leverage the Forms Authentication infrastructure to set and validate a cookie - you would just offload the initial authentication to AD instead of reading from a posted form.

Here's a great place to start:

Understanding the Forms Authentication Ticket and Cookie
http://support.microsoft.com/kb/910443

离笑几人歌 2024-10-13 18:40:11

您不需要验证每个请求。使用 HttpModule 对第一个请求进行身份验证,然后将请求者添加到会话中,或者将凭据缓存一小段时间。

You don't need to authenticate every request. Authenticate the first request with your HttpModule, and either add the requestor to the session, or cache the credentials for a short period of time.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文