OWIN:IIS抛出拒绝访问认证的用户在访问子应用程序 [英] OWIN: IIS throws Access denied for authenticated user while accessing child application
问题描述
背景结果
我有使用OWIN +天青AD进行身份验证Web窗体应用程序。该应用程序是在IIS 10.0.10586.0主办。该应用程序是在根目录(默认Web站点)作为www.mydomain.com主办。我也有包含一些静态页面和一些净code子.NET应用程序(而不是虚拟目录)。因此,经过身份验证的用户可以访问的静态页面作为www.mydomain.com/pages/page1.html
Background
I have web forms application that use OWIN + Azure AD for authentication. The application is hosted in IIS 10.0.10586.0. The application is hosted at root ( Default Web Site) as www.mydomain.com . I also have child .net application (not virtual directory) which contains some static pages and some .Net code. So authenticated user can access static pages as www.mydomain.com/pages/page1.html
我的步骤如下:结果
1>创建Web表单应用程序,并通过植入天青OWIN AD身份验证所提到的 这里 或的此处 结果
2> IIS下10以root身份申请(默认网站)托管应用 -
3>一切工作正常在这一点上,用户被重定向到微软的登录页面,获取认证那里,然后在验证成功后重定向回mydomain.com结果
4>我看到System.Web.HttpContext.Current.Request.IsAuthenticated是真结果
5>我有,我想只有经过验证的用户访问一些静态页面。因此,我创建默认网站下一个新的应用程序,并设置相应的物理路径。结果
6>我还添加了授权和放大器;在web.config中runAllManagedModulesForAllRequests(见下文)结果
7>当认证的用户www.mydomain.com/pages/page1.html他得到拒绝访问错误访问网页
Steps I followed:
1> Create web form application and implanted Azure AD authentication using OWIN as mentioned here or here
2> Hosted application under IIS 10 as root application ( Default Web Site)
3> Everything works fine at this point, User gets redirected to Microsoft’s login page, get authenticated there and then upon successful authentication get redirected back to mydomain.com
4> I see System.Web.HttpContext.Current.Request.IsAuthenticated is "true"
5> I have some static pages that I want only Authenticated user to have access. So I created a new application under default web site, and set physical path accordingly.
6> I also added authorization & runAllManagedModulesForAllRequests in web.config (see below)
7> When authenticated user tries to access pages www.mydomain.com/pages/page1.html he gets access denied error
(注意如果我创造它的工作原理儿童虚拟目录。但我想有应用程序,而不是虚拟目录)
(NOTE if i create child virtual directory it works. but i would like to have application instead of virtual directory)
拒绝访问结果
错误信息:401.2未经授权:登录失败,由于
服务器配置。请确认您有权限查看此
根据您提供的凭据和目录或页面
在Web服务器上启用身份验证方法。联系Web
服务器管理员获得更多帮助。
Access Denied
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
下面是IIS和放大器的快照;应用程序池(我自己也尝试设置标识为本地)页面是认证的子应用程序的用户无法访问。
![在这里输入的形象描述](\"http://i.stack.imgur.com/sStVf.png\")
OWIN启动类
[assembly: OwinStartup(typeof(AzureWithSL.Web.Startup))]
namespace AzureWithSL.Web
{
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
}
}
}
应用程序启动页
public class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
SignIn();
}
public void SignIn()
{
// Send an OpenID Connect sign-in request.
if (!System.Web.HttpContext.Current.Request.IsAuthenticated)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
}
的Web.Config
<configuration>
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="owin:AutomaticAppStartup" value="true" />
<add key="ida:ClientId" value="someid" />
<add key="ida:Tenant" value="mytenant.onmicrosoft.com" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:PostLogoutRedirectUri" value="http://localhost/Default.aspx" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT1 结果
所以,不管,如果我有code或内部的子应用程序静态页面,通过验证的用户不能访问子应用程序。
我认为这是OWIN或IIS,错误可以有人请证实?
EDIT1
So regardless of if i have code or static pages inside child application, the authenticated user cannot access child application.
I think this is a bug in OWIN or IIS, can someone please confirm this?
EDIT2 结果
所以挖几个小时后,我有些接近的解决方案。
EDIT2
So after digging for several hours i am somewhat closer to solution.
1>我用的是匿名发表连接Azure的AD为单点登录认证。认证机制创建的cookie。为了验证cookie跨应用程序边界(尽管第二个应用是在IIS子应用程序),我们仍然需要使用同一台机器密钥来解密该cookie。在我的情况我的第二个应用是设置为子女申请(见上面的截图IIS),所以我只需要添加机钥匙插入应用程序根。 (在旧FormsAuthentication我们必须做同样的事情)
1> I am using Azure AD with OpenID Connect for Single Sign On authentication. The authentication mechanism creates cookie. In order for authentication cookie to cross application boundary ( even though 2nd application is child application in IIS) we still need to use same machine key to decrypt the cookie. In my case my second application is setup as child application (see IIS screenshot above) so i just need to add machine key into root application. (In old FormsAuthentication we had to do the same thing )
2>最重要的是孩子应用程序需要.NET 4.5或后者与配置OWIN和身份架构。它不能只是一些静态文件的文件夹。它需要适当的.NET Web应用程序的的(我不喜欢这个,因为我已经是WCF服务的使用.NET 4开发的,现在我要所有这些应用程序转换成4.5和配置OWIN几个子应用程序&安培;认同框架和测试真的?)的结果
随着老FormsAuthentication我们没有做到这一点。授权元素能够保护孩子的应用,并允许访问时,用户通过身份验证,不管孩子应用程序包含.NET应用程序,WCF服务,静态HTML文件或图像。
2> Most important thing is the child application needs to be .Net 4.5 or latter with OWIN and identity framework configured. It cannot be just folder with some static files. It needs to be proper .Net web application (and i hated this because i have several child applications that are WCF services developed using .Net 4. So now i have to convert all these applications into 4.5 and configure OWIN & Identity framework and test. Really???)
With old FormsAuthentication we dont have to do this. The Authorization element was able to protect child applications and allow access when user was authenticated, regardless if child application contains .net app, wcf service, static html files or images.
推荐答案
所以上面EDIT2是我的答案结果
你必须有计算机密钥的主要应用的web.config文件。 (所有子应用程序将继承它)
So EDIT2 above is my answer
You have to have Machine Key in web.config of main application. ( All child applications will inherit it)
和所有子应用程序必须配置为OWIN(同主要的应用程序。他们必须匹配的clientid,承租人等)
And all child applications must be configured for OWIN (same as Main application. they must match clientid, tenant etc)
这篇关于OWIN:IIS抛出拒绝访问认证的用户在访问子应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
