正确实施“窗口"；Web API中的身份验证? [英] proper implementation of "windows" authentication in web api?

问题描述

我创建了一个Web Api 2应用程序，该应用程序仅在公司网络上使用.我已经阅读了有关Web API中Windows身份验证的信息，因此这似乎是有可能的.但是我需要找出正确的实现方法.我在Web.config中包含了以下xml:

I've created a Web Api 2 app which will only be used on the corporate network. I've read about Windows authentication in Web API so it seems to be possible. But I need to figure out the proper implementation for this. I've included the following xml in my Web.config:

<system.web>
  <authentication mode="Windows" />   
</system.web>

我似乎还记得旧式Webforms应用程序中的某种类型的事件挂钩.像BeginRequest()这样的东西，可以在呈现页面之前进行安全检查.我在我的一个控制器方法中将以下代码行作为第一行，但返回的值似乎只是一个空对象，没有任何有意义的信息:

I seem to remember some type of event hook in old school webforms app. Something like BeginRequest() where a security check could be made before rendering a page. I included the following line of code as the first line in one of my controller methods but the returned value appears to just be an empty object without any meaningful info:

var identity = HttpContext.Current.User.Identity as WindowsIdentity;

Web API 2是否支持Windows身份验证?我错过了一步吗?如果我提交了Postman的一般测试要求，Windows身份验证应该可以工作吗?我也尝试了这段代码，但是得到了一个类似的空对象:

Does Web API 2 support Windows authentication? Am I missing a step? Should Windows authentication work if I submit a general request from Postman for testing? I also tried this code but got a similar empty object:

var x = RequestContext.Principal;

我隐约想起IIS设置，例如启用集成安全性".您能否指定确切的设置?如果我在IIS Express上运行应用程序，我能否完成此任务?

I vaguely recall an IIS setting like "Enable Integrated Security." Can you please specify the exact setting? And would I be able to accomplish this if I'm running the app on IIS Express?

更新

我遵循了以下答案之一中提到的IIS Express的步骤，但是我在原始帖子中提供的代码示例仍然没有得到填充的用户对象.我还更新了applicationhost.config文件以关闭匿名身份验证:

I followed the steps for IIS Express mentioned in one of the answers below but the code samples that I provided in my original post still didn't get a populated user object. I also updated applicationhost.config file to turn off anonymous authentication:

<anonymousAuthentication enabled="false" userName="" />

更新后，我通过邮递员重新提交了测试请求，但出现以下错误:

After I made that updated I resubmitted my test request via Postman but I get the following error:

    <h3>HTTP Error 401.2 - Unauthorized</h3>
    <h4>You are not authorized to view this page due to invalid authentication headers.</h4>
</div>
<div class="content-container">
    <fieldset>
        <h4>Most likely causes:</h4>
        <ul>
            <li>No authentication protocol (including anonymous) is selected in IIS.</li>
            <li>Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.</li>
            <li>Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.</li>
            <li>The Web server is not configured for anonymous access and a required authorization header was not received.</li>
            <li>The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.</li>
        </ul>
    </fieldset>
</div>
<div class="content-container">
    <fieldset>
        <h4>Things you can try:</h4>
        <ul>
            <li>Verify the authentication setting for the resource and then try requesting the resource using that authentication method.</li>
            <li>Verify that the client browser supports Integrated authentication.</li>
            <li>Verify that the request is not going through a proxy when Integrated authentication is used.</li>
            <li>Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.</li>
            <li>Check the failed request tracing logs for additional information about this error. For more information, click 
                <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>.
            </li>
        </ul>
    </fieldset>
</div>

我是否需要使用某种类型的特殊标头配置邮递员请求才能使其正常工作?

Do I need to configure my Postman request with some type of special header in order for this to work?

推荐答案

如果使用的是 IIS Express ，则需要更新 applicationhost.config 文件.

If you are using IIS Express, you need to update applicationhost.config file.

这是IIS配置工具的文件版本，您可以在其中配置Web服务器本身.您可以在以下目录中找到该文件:

This is the file version of the IIS configuration tool where you can configure the web server itself. you can find this file in the following directory:

%userprofile%\documents\iisexpress\config\applicationhost.config

或

%userprofile%\my documents\iisexpress\config\applicationhost.config

找到它时，将其更新为:

When you find it, update it as:

<windowsAuthentication enabled="true">
    <providers>
        <add value="Negotiate" />
        <add value="NTLM" />
    </providers>
</windowsAuthentication>

对于IIS:

1. 选择您的应用程序
2. 双击-'身份验证'
3. 启用Windows身份验证
4. 重新启动IIS服务器

检查此内容以获取更多

Check this for more details

这篇关于正确实施“窗口"；Web API中的身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！