匿名之前的IIS Windows身份验证 [英] IIS Windows Authentication before Anonymous

问题描述

我有一个网站，我希望同时允许使用Forms和Windows Auth.我的问题是，当您将IIS设置为同时允许匿名(表单身份验证为必需)和Windows身份验证时，浏览器将不会发送用户的网络凭据.

I have a website that I would like to allow both Forms and Windows Auth for. My problem is that it seems that when you setup IIS to allow both anonymous (Required for forms auth) and Windows auth that the browser won't send the user's network credentials.

它仅使用匿名登录.在IE8或IIS中，是否可以尝试Windows Auth 1st，然后退回至匿名状态?

It just uses the anonymous login. Is there any way either in IE8 or IIS to have it try Windows Auth 1st and then fall back to Anonymous?

感谢您的帮助.

推荐答案

如果不存在HTTP身份验证对话框(无论是基本身份验证还是Windows集成身份验证)，您将无法请求HTTP身份验证凭据.

You can't ask for HTTP authentication (whether that's Basic Authentication or Integrated Windows Authentication) without causing the authentication dialogue box to pop in the case where there are no credentials yet.

因此，通常，对于混合HTTP-auth + cookie-auth方法，您可以对大部分站点启用匿名访问和经过身份验证的访问，但是仅允许对一个特定脚本进行经过身份验证的访问.

So in general for hybrid HTTP-auth+cookie-auth approaches you enable both anonymous and authenticated access for the bulk of the site, but allow only authenticated access to one particular script.

当用户访问没有任何一种身份验证的页面时，您将吐出一个页面，其中包含基于cookie的身份验证的登录表单，以及指向仅允许经过身份验证的访问的一个URL的链接.用户可以填写cookie& forms身份验证的表单，或点击链接以使用HTTP身份验证登录.

When the user accesses a page without either kind of auth, you spit out a page with a login form for the cookie-based auth, and also a link to the one URL that allows only authenticated access. The user can fill out the form for cookies&forms auth, or hit the link to log in with HTTP auth instead.

如果用户点击该链接，将给他们一个401响应，并且必须通过auth对话框或可能使用集成的Windows身份验证自动提供HTTP身份验证.一旦发生这种情况，浏览器将开始向以后的每个页面提交相同的凭据，因此IIS将对凭据进行解码，以便在运行主站点脚本时为您提供预期的REMOTE_USER.

If the user follows that link, they will be given a 401 response and must provide HTTP authentication, either through the auth dialog, or potentially automatically using integrated Windows authentication. Once this has happened once, the browser will start submitting the same credentials to every future page, so IIS will decode the credentials to give you the expected REMOTE_USER when your main site scripts are run.

浏览器仅将凭据提交到与401脚本相同的目录或该脚本的子目录中的页面.因此，最好将HTTP身份验证所需的脚本放在根目录中，例如/login.aspx.

Browsers will only submit the credentials to pages in the same directory as the 401 script, or subdirectories of this. For this reason it is best to put the HTTP-auth-required script in the root, for example as /login.aspx.

但是，有一些浏览器不会自动提交其他页面的凭据，并且要求每个HTTP请求首先响应401，然后再使用凭据再次发送请求.这使得不可能进行可选身份验证和混合身份验证方案(以及使受保护站点的浏览更加缓慢！).唯一的现代浏览器是Safari.您可能并不在意，因为Safari对集成Windows身份验证的支持一直以来都是不稳定的，并且仍然可以使用forms + cookies身份验证类型.

However, there are a few browsers that won't automatically submit credentials for further pages, and require every HTTP request to respond 401 first, before sending the request again with credentials. This makes optional-auth and hybrid-auth schemes impossible (as well as making browsing of protected sites much slower!). The only modern browser that does this is Safari. You may not care, as Safari's support for Integrated Windows Authentication has traditionally been shaky anyway, and it can still use the forms+cookies auth type.

这篇关于匿名之前的IIS Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！