IIS混合匿名和Windows身份验证 [英] IIS Mixed Anonymous and Windows Authentication

问题描述

我需要创建一个ASP .NET网页(托管在带有IIS 7.5的Windows Server 2008R2上)，域用户和匿名用户应该可见该网页，而无需提示他们两者的凭据请求.应该授权域用户查看整个页面，而匿名用户可以查看页面的公共部分.

I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.

• 启用Windows身份验证时::域用户可以看到整个页面，但是会提示匿名用户输入凭据.
• 当我启用匿名身份验证或同时启用匿名身份验证和Windows身份验证时::匿名用户可以看到页面的公共部分，但域用户看不到整个页面(它们就像匿名用户一样).

• When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
• When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).

我使用以下字符串来区分匿名用户和域用户:

I use the following string to discriminate anonymous users and domain users:

WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;

如果WindowsAccountName为空，则用户为匿名用户，否则为域用户.不幸的是，启用匿名身份验证后，WindowsAccountName始终为空(即使对于域用户)，但是禁用匿名身份验证时，会提示非域用户输入凭据.

If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.

您对这些问题有解决方案吗?请记住，域用户分布在不同的网络中，因此IP地址不是区分域用户和非域用户的好选择.

Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.

对我来说，这似乎是22点

it looks like a catch-22 for me

谢谢.

推荐答案

此术语为混合模式身份验证.我已经做过多次了.

The term for this is Mixed-Mode Authentication. I have done this multiple times.

这可以通过使用Windows身份验证站点来完成，该站点无需执行更多操作即可从AD中提取用户凭据并将其传递给匿名站点.我已经使用了自定义票证(数据库中的GUID)完成了此任务，该票证将在5秒钟后过期.匿名站点采用传递的GUID，查询数据库并获取用户ID.我通过其他方式使用包含用户ID和时间戳的加密URL参数来完成此操作.

This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.

内部网站

创建重定向URL站点:将此站点设置为Window Auth，以便您可以从Active Directory中提取用户ID.给您的用户这个URL和/或使其成为他们单击您的Intranet的链接.然后，该站点将呼叫您的匿名站点并传递用户凭据(登录ID).

Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).

a.可以通过URL上的加密字符串或cookie中的加密值来完成.您也可以使用到期日期/时间值进行加密.

a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.

b. (从Forms Auth说起)使用该用户ID创建Forms身份验证票证.运行您拥有的任何其他登录逻辑.完成.

b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.

外部站点-无需更改.让用户按原样登录.

External Site - No Changes required. Let the users login as-is.

这篇关于IIS混合匿名和Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！