Asp.Net Core Windows身份验证在IIS中不起作用 [英] Asp.Net Core Windows Authentication Not Working in IIS

问题描述

启用Windows身份验证并在IIS Express或IIS中运行时，Asp.Net Core似乎无法从呼叫context?.User?.Identity?.Name识别用户.

Asp.Net Core doesn't seem to recognize the user from the call context?.User?.Identity?.Name when windows authentication is enabled and running in IIS Express or IIS.

所需行为:在IIS和/或IIS Express中同时启用Windows身份验证和匿名身份验证，Asp.Net Core应该会自动识别Windows用户.

Desired behavior: Enabling both Windows authentication and anonymous authentication in IIS and/or IIS Express, Asp.Net Core should automatically recognize the windows user.

实际行为:当我在IIS或IIS Express中同时启用Windows和匿名身份验证时，用户名为null.当我禁用匿名身份验证或致电HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme)时，会收到我不想要的登录提示.

Actual behavior: When I enable both windows and anonymous authentication in IIS or IIS Express, the user name is null. When I disable anonymous authentication or call HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme), I get a login prompt, which I don't want.

我的理解是，即使我想将其用于Active Directory，也不需要Active Directory或域来对Windows用户进行身份验证.

My understanding is that, even though I want to use this for Active Directory, I don't need active directory or a domain to authenticate a windows user.

环境:

• Windows 8.1(不在域上)
• IIS 8.5/带有IIS Express的Visual Studio 2017
• 已安装Windows身份验证安全功能
• Windows身份验证& (与NTLM提供程序一起使用)&启用了匿名身份验证
• 以本地帐户用户身份登录

依赖项:

• Microsoft.AspNetCore.All 2.0.8

启动:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<IISOptions>(iis =>
    {
        iis.AuthenticationDisplayName = "Windows";
        iis.AutomaticAuthentication = true;
    });

    services.AddAuthentication(IISDefaults.AuthenticationScheme);
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseAuthentication();
    app.Run(async (context) =>
    {
        await context.Response.WriteAsync(JsonConvert.SerializeObject(new
        {                
            UserName = context?.User?.Identity?.Name
        }));
    });       

launchSettings.json:

launchSettings.json:

{
  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:51682/",
      "sslPort": 0      
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}

web.config:

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
    </handlers>
    <aspNetCore forwardWindowsAuthToken="true" processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" />
  </system.webServer>
</configuration>

applicationhost.config:(IIS Express)

applicationhost.config: (IIS Express)

基于本文: https://docs.microsoft.com/zh-cn/iis/configuration/system.webServer/security/authentication/windowsAuthentication/

<authentication>
  <anonymousAuthentication enabled="true" userName="" />
  <basicAuthentication enabled="false" />
  <clientCertificateMappingAuthentication enabled="false" />
  <digestAuthentication enabled="false" />
  <iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication>
  <windowsAuthentication enabled="true">
    <providers>
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>
</authentication>

推荐答案

几件事:

1. 禁用匿名身份验证时，会弹出一个对话框，因为浏览器可能不信任该站点.您需要打开Internet选项(从Windows控制面板)->安全"选项卡->单击受信任的站点"->单击站点"，然后将URL添加到您的站点中. IE和Chrome都使用这些设置来决定是否自动发送您的凭据.

1. When you disable anonymous authentication, you get a popup because the browser likely doesn't trust the site. You need to open Internet Options (from the Windows Control Panel) -> Security tab -> Click 'Trusted Sites' -> Click 'Sites' and add the URL to your site there. Both IE and Chrome use those settings for deciding whether to automatically send your credentials.

当您同时启用了 和Windows身份验证时，除非您告诉用户必须登录，否则匿名将具有优先权.为此，请使用[Authorize]可以是控制器上的属性，也可以是单个动作上的属性.

When you have both anonymous and Windows authentication enabled, anonymous takes precedence except in place where you tell it that the user must be logged in. To do that, use the [Authorize] attribute either on a controller, or just on individual actions.

此处允许匿名访问"下的更多详细信息: https://docs.microsoft.com/zh-cn/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.0& tabs = aspnetcore2x#allow-anonymous-access

More details here, under the heading "Allow Anonymous Access": https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-2.0&tabs=aspnetcore2x#allow-anonymous-access

这篇关于Asp.Net Core Windows身份验证在IIS中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！