我们正在具有多个独立域林的环境中实施 SharePoint,这些域林将用于使用基于声明的身份验证来对用户进行身份验证。各个域对单个域具有单向信任,该域将充当所有身份验证请求的“根”。我们已经测试了信任并且它确实有效,并且我们的声明身份验证配置似乎也有效,但是使用表单身份验证登录到 SharePoint 时,我们只能对明确存在于该根域中的用户进行身份验证 。使用 Active Directory 成员资格提供程序的 GetAllUsers() 方法时,任何受信任的域用户都不会进行身份验证,也不会进行枚举。
我们已将配置尽可能简化为:
连接字符串:
<add name="ADConnString" connectionString="LDAP://therootdomain.org" />
成员资格提供程序:
<add name="ADProvider"
enableSearchMethods="true"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnString"
attributeMapUsername="UserPrincipalName"
connectionUsername="svcact"
connectionPassword="svcpwd" />
正如现在配置的那样,我们能够使用 [电子邮件受保护] 约定,但前提是它们存在于信任“树”的根域中。来自其他域的任何用户都无法通过身份验证。我认为值得一提的是,如果我们切换到 NTLM,所有受信任域中的所有用户都能够进行身份验证;所以我们肯定知道信托正在发挥作用。
当然,我已经在互联网上进行了搜索,并且不断发现相互矛盾的信息。在某些地方,我读到单向信任应该“正常工作”,并且不需要特殊配置,并且我的场景应该不会有任何问题。在其他地方,我得到的印象是 ActiveDirectoryMembershipProvider 无法遍历域信任,唯一的方法是编写一个遍历多个单独提供程序的客户提供程序 - 但我很难接受这一点,因为我们的场景没有看起来很奇怪;它必须得到支持......对吧?
所以我的基本问题是Active Directory 成员资格提供程序是否可以遍历域信任来对用户进行身份验证,如果可以,还需要配置什么才能实现这一点?
提前致谢!
We are implementing SharePoint in an environment with multiple separate domain forests that will be used to authenticate users using claims based authentication. The various domains have a one-way trust to a single domain that will act as the "root" for all authentication requests. We have tested the trust and it does work, and our claims authentication configuration appears to be working as well, however when logging in to SharePoint using forms authentication we can only authenticate users that exist explicitly in that root domain. Any trusted domain users do not authenticate, nor do they enumerate when using the GetAllUsers() method of the Active Directory Membership Provider.
We've boiled the configuration down as much as possible to this:
Connection string:
<add name="ADConnString" connectionString="LDAP://therootdomain.org" />
Membership Provider:
<add name="ADProvider"
enableSearchMethods="true"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnString"
attributeMapUsername="UserPrincipalName"
connectionUsername="svcact"
connectionPassword="svcpwd" />
As it is configured now, we are able to authenticate forms based users using the [email protected] convention, but only if they exist in the root domain in the trust "tree". Any users from other domains fail authentication. I think it's worth mentioning that if we switch to NTLM all users from across all trusted domains are able to authenticate; so we definitely know that the trust is functioning.
I have of course scoured the internet and I keep finding conflicting information. In some places I read that the one-way trust should "just work" and that no special configuration is required, and my scenario should not have any problems. In other places I get the impression that the ActiveDirectoryMembershipProvider is not capable of traversing domain trusts and the only way to do it is to write a customer provider that walks through multiple individual providers - but I have a hard time accepting this as our scenario does not seem that outlandish; it must be supported... right?
So my basic question is can the Active Directory Membership Provider traverse domain trusts in order to authenticate users, and if so what else needs to be configured to make that happen?
Thanks in advance!
发布评论