在ASP.NET Core中特定路由上的NTLM身份验证 [英] NTLM authentication on specific route in ASP.NET Core

问题描述

尝试在测试环境中实现主题.

Trying to implement subject in a test environment.

.UseWebListener(options=>
{
    options.ListenerSettings.Authentication.Schemes = AuthenticationSchemes.NTLM |
                                                      AuthenticationSchemes.Negotiate;
    options.ListenerSettings.Authentication.AllowAnonymous = true;
})

还有

app.UseWhen(context => context.Request.Path.StartsWithSegments("/ntlm"),
            builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
                LoginPath = "/Main/Login",
                LogoutPath = "/Main/Logout",
                AuthenticationScheme = "NTLM", AccessDeniedPath = "/Main/Deny"
            }
            ));

app.UseWhen(context => !context.Request.Path.StartsWithSegments("/ntlm"),
            builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AutomaticAuthenticate = false,
                AutomaticChallenge = false,
                LoginPath = "/Main/Login",
                LogoutPath = "/Main/Logout",
                AuthenticationScheme = "Cookies"
            }
            ));

但是，无论请求路径是否以"/ntlm"开头，这似乎都没有区别.

But it seems there`s no difference, whether request path starts with "/ntlm" or not.

我尝试运行两个WebListener，但是我认为这会产生更多开销.

I tried running two WebListeners, but I think there`s much more overhead.

我想要实现的目标: 用户进入带有登录表单的开始页面，并且上面有一个"Windows auth"按钮. 他可以输入凭据或按按钮，然后使用他的OS身份进入.

What I want to achieve: User gets on start page with login form and there`s a "Windows auth" button on it. He can enter credentials or press the button and go in with his OS identity.

推荐答案

我正在使用IIS(而不是WebListener)进行非常相似的操作，但是也许我可以告诉您一些有用的东西.

I'm doing something very similar using IIS, not WebListener, but maybe I can tell you a few things that can help.

您已经像配置IIS一样对WebListener进行了配置，以允许匿名访问但也能够协商身份验证，这一部分应该没问题.

You have configured WebListener as I did for my IIS to allow anonymous access but also to be able to negotiate authentification, that part should be fine.

但是在"/ntlm" URL路径上，您安装了CookieAuthentication中间件，该中间件将尝试在传入的请求中查找cookie以验证用户身份，我认为这不是您想要的.相反，在"/ntlm"路径上，您想重用来自WebListener检测到的NTLM或Kerberos数据包的身份.就我而言，正确设置后，它是由IIS中间件负责设置身份的.我建议:

But on the "/ntlm" url path, you have installed a CookieAuthentication middleware that will try to find a cookie in the incoming request to authenticate the user, and I don't think that's what you want. On the contrary, on the "/ntlm" path, you want to reuse the identity that would be coming from NTLM or Kerberos packet detected by WebListener. In my case, when properly setup, it's an IIS Middleware that is in charge of setting the identity. I would suggest:

• 在"ntlm"路径上删除此UseCookieAuthentication
• 创建具有"[Authorize]"属性的控制器和操作以触发身份验证
• 显示HttpContext.User.Identity.Name;
• 希望您将在此处正确验证Windows用户

• remove this UseCookieAuthentication when on "ntlm" path
• create a controller and an action with an "[Authorize]" attribute to trigger the authentication
• display the HttpContext.User.Identity.Name;
• hopefully you'll get the Windows user properly authenticated here

这篇关于在ASP.NET Core中特定路由上的NTLM身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！