当用户尝试向我的 IIS 进行身份验证时,如何获取有关用户网络的信息?
我希望用户在工作场所(例如在 LAN 上)时使用其常规用户名和密码进行身份验证。自动登录已禁用。
但是,从 LAN 外部登录应触发 2 级身份验证(如短信、邮件或类似身份验证)。当用户尝试从局域网外登录应用程序时,我们如何获取有关用户网络的信息?
注意 - 如果您有 AD 用户和密码并不重要。如果您在外面,则必须触发 2 级身份验证。
NB2 - 我们不希望运行任何客户端脚本,因此这必须是初始请求附带的
技术:IIS 7、ISA 2006、.Net 4、MS Sql 2008 服务器。
为何采用 ISA 的信息服务器删除我需要的信息: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php
I want users, when they are in the workplace (e.g. on the LAN), to authenticate themselves with their regular username and password. Auto-login is disabled.
However - logging in from outside the LAN should trigger a 2-level authentication (like SMS, mail or similar). How can we get information about the users network when they try to log in to the application from outside the LAN?
NB - it does not matter if you have AD user and pwd. If you are on the outside you have to trigger the 2 level auth.
NB2 - we do not want any client-side scripts running, so this must be something coming with the initial request
Technology: IIS 7, ISA 2006, .Net 4, MS Sql 2008 server.
Question also asked here: https://serverfault.com/questions/354183/what-2-level-authentication-mechanism-is-available-that-can-differentiate-if-the
Information why ISA server remove the information I need: http://www.redline-software.com/eng/support/articles/isaserver/security/x-forwarded-isa-track.php
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果合理的话,不要将您的 Web 服务器暴露给 LAN 之外的任何东西——需要 VPN 访问。
如果这不合理,您应该能够使用
REMOTE_ADDR变量来确定请求的来源。将您的 LAN 列入白名单作为单因素,并要求其他所有内容都是多因素。根据具体情况,服务器变量 将类似于或
如果您有代理,请将代理标记为标头中的原始 IP 源,并读取请求标头以确定外部 IP。
If it's reasonable, don't expose your web server to anything outside of your LAN -- require VPN access.
If that isn't reasonable, you should be able to use the
REMOTE_ADDRvariable to determine the source of the request. Whitelist your LAN as single-factor and require everything else to be multi-factor. Depending on the scenario, the server variables will be similar to eitheror
If you have a proxy in the way, make the proxy tag the originating IP source in the headers and read the request headers to determine the external IP.