IIS 混合匿名和 Windows 身份验证 [英] IIS Mixed Anonymous and Windows Authentication
问题描述
我需要创建一个 ASP .NET 网页(托管在带有 IIS 7.5 的 Windows Server 2008R2 上),域用户和匿名用户应该可以看到它,而不会提示对他们两个的凭据请求.域用户应该被授权查看整个页面,而匿名用户可以查看页面的公共部分.
I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.
- 当我启用 Windows 身份验证时: 域用户可以看到整个页面,但会提示匿名用户输入凭据.
- 当我启用匿名身份验证或两者(匿名和窗口)时:匿名用户可以看到页面的公共部分,但域用户看不到整个页面(他们就像匿名用户).
- When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
- When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).
我使用以下字符串来区分匿名用户和域用户:
I use the following string to discriminate anonymous users and domain users:
WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;
如果 WindowsAccountName 为空,则用户为匿名用户,否则为域用户.不幸的是,启用匿名身份验证时,WindowsAccountName 始终为空(即使对于域用户也是如此),但是当禁用匿名身份验证时,会提示非域用户输入凭据.
If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.
您有解决这些问题的方法吗?请记住,域用户分布在不同的网络中,因此 IP 地址不是区分域用户和非域用户的好选择.
Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.
对我来说它看起来像一个 catch-22
it looks like a catch-22 for me
谢谢.
推荐答案
这个术语是混合模式身份验证.我已经多次这样做了.
The term for this is Mixed-Mode Authentication. I have done this multiple times.
这可以通过使用经过 Windows 身份验证的站点来完成,该站点不再从 AD 中提取用户凭据并将其传递给匿名站点.我已经使用在 5 秒后过期的自定义票证(数据库中的 GUID)完成了这项工作.匿名站点获取传递的 GUID,查询 DB 并获取用户 ID.我使用包含用户 ID 和时间戳的加密 URL 参数完成此操作的其他方法.
This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.
内部网站
创建重定向 URL 站点:将此站点设置为 Window Auth,以便您可以从 Active Directory 中提取用户 ID.为您的用户提供此 URL 和/或使其成为他们在您的 Intranet 上单击的链接.然后该站点调用您的匿名站点并传递用户凭据(登录 ID).
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).
一个.这可以通过 URL 上的加密字符串或 cookie 中的加密值来完成.您也可以使用到期日期/时间值进行加密.
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
B.(从 Forms Auth 说起)使用该用户 ID 创建一个 Forms 身份验证票证.运行您拥有的任何其他登录逻辑.完成.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
外部网站 - 无需更改.让用户按原样登录.
External Site - No Changes required. Let the users login as-is.
这篇关于IIS 混合匿名和 Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
