未出现针对 ASP.NET Core 5 Docker API 的 VueJS Windows 身份验证 [英] VueJS Windows Authentication against ASP.NET Core 5 Docker API not appearing
问题描述
设置:我们已经在我们的 Windows VM(本地)上设置为我们的 ASP.NET Core 5 API 运行 docker(Windows 容器)+ gMSA/服务帐户 - 在 Kestrel 上使用 .AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate 在内部运行();(不是 IIS).它可以像配置的服务帐户一样进行身份验证,例如针对 MSSQL 或文件服务器.如果我使用我的 Windows 凭据打开任何受保护的端点或询问我(如果不是在加入域的计算机上).用户测试端点返回 Windows 用户声明.
Setup:
We have setup on our windows VM (on-premises) to run docker (windows container) + gMSA / service account for our ASP.NET Core 5 API - internally running on Kestrel with .AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate(); (NOT IIS). It authenticates well as the configured service account e.g. against MSSQL or the File Server.
If I open up any protected endpoint its using my windows credentials or is asking me (if not on a domain joined computer). The user test endpoint return the windows users claims.
这只是运行良好的 API!
This just the API which works fine!
问题:问题"也就是说,我们的 VueJS 应用程序在 linux 主机上的 docker 容器(linux 容器)中运行 - 内部通过 nginx 托管.同一个网络.第一次打开 UI 后(没有打开 API)没有身份验证请求发生.有趣的部分是:在第一次打开 API 并输入 Windows 凭据后,然后打开 UI 工作并显示使用/声明(我们从后端返回).
Issue: The "issue" is, that our VueJS application is running in a docker container (linux containers) on a linux host - inside hosted via nginx. Same network. After opening the UI the first time (without having opened the API) no authentication request is happening. The interesting part is: After opening the API the first time and entering windows credentials and then opening the UI works and shows the use/claims (which we return from the backend).
在前端,我们使用带有 withCredentials: true 的 axios.
In the frontend we are using axios with withCredentials: true.
问题:必须做什么才能使 UI 协商 Windows 登录?
Question: What must be done to enable the UI to negotiate the windows login?
推荐答案
将请求传递到容器的反向代理必须启用 NTLM 支持,Windows 身份验证才能正常工作.IIS 默认支持这一点,但对于其他人,您需要手动激活它.这必须在代理链中重复.
The reverse proxy that's passing requests to your container must have NTLM support enabled for Windows authentication to work. IIS supports this by default, but for others, you need to activate it manually. This must be repeated down the proxy chain.
来自 文档:
凭据可以跨连接上的请求保留.除非代理与 Kestrel 保持 1:1 的连接关联(持久连接),否则不得与代理一起使用协商身份验证.
Credentials can be persisted across requests on a connection. Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel.
查看反向代理的文档:
- nginx:http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm
- 球童:https://github.com/caddyserver/ntlm-transport
这篇关于未出现针对 ASP.NET Core 5 Docker API 的 VueJS Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
