Asp.Net Core Windows 身份验证在 IIS 中不起作用 [英] Asp.Net Core Windows Authentication Not Working in IIS

问题描述

当启用 Windows 身份验证并在 IIS Express 或 IIS 中运行时，Asp.Net Core 似乎无法通过调用 context?.User?.Identity?.Name 识别用户.

Asp.Net Core doesn't seem to recognize the user from the call context?.User?.Identity?.Name when windows authentication is enabled and running in IIS Express or IIS.

期望的行为:在 IIS 和/或 IIS Express 中启用 Windows 身份验证和匿名身份验证，Asp.Net Core 应自动识别 Windows 用户.

Desired behavior: Enabling both Windows authentication and anonymous authentication in IIS and/or IIS Express, Asp.Net Core should automatically recognize the windows user.

实际行为:当我在 IIS 或 IIS Express 中同时启用 Windows 和匿名身份验证时，用户名为空.当我禁用匿名身份验证或调用 HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme) 时，我收到了我不想要的登录提示.

Actual behavior: When I enable both windows and anonymous authentication in IIS or IIS Express, the user name is null. When I disable anonymous authentication or call HttpContext.ChallengeAsync(IISDefaults.AuthenticationScheme), I get a login prompt, which I don't want.

我的理解是，即使我想将其用于 Active Directory，我也不需要 Active Directory 或域来验证 Windows 用户.

My understanding is that, even though I want to use this for Active Directory, I don't need active directory or a domain to authenticate a windows user.

环境:

• Windows 8.1(不在域中)
• IIS 8.5/带有 IIS Express 的 Visual Studio 2017
• 已安装 Windows 身份验证安全功能
• Windows 身份验证和(与 NTLM 提供商)&启用匿名身份验证
• 以本地帐户用户身份登录

依赖:

• Microsoft.AspNetCore.All 2.0.8

启动:

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<IISOptions>(iis =>
    {
        iis.AuthenticationDisplayName = "Windows";
        iis.AutomaticAuthentication = true;
    });

    services.AddAuthentication(IISDefaults.AuthenticationScheme);
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseAuthentication();
    app.Run(async (context) =>
    {
        await context.Response.WriteAsync(JsonConvert.SerializeObject(new
        {                
            UserName = context?.User?.Identity?.Name
        }));
    });       

launchSettings.json:

launchSettings.json:

{
  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:51682/",
      "sslPort": 0      
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}

web.config:

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
    </handlers>
    <aspNetCore forwardWindowsAuthToken="true" processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile=".logsstdout" />
  </system.webServer>
</configuration>

applicationhost.config: (IIS Express)

applicationhost.config: (IIS Express)

基于这篇文章:https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/

<authentication>
  <anonymousAuthentication enabled="true" userName="" />
  <basicAuthentication enabled="false" />
  <clientCertificateMappingAuthentication enabled="false" />
  <digestAuthentication enabled="false" />
  <iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication>
  <windowsAuthentication enabled="true">
    <providers>
      <add value="NTLM" />
    </providers>
  </windowsAuthentication>
</authentication>

推荐答案

一些事情:

1. 当您禁用匿名身份验证时，您会收到一个弹出窗口，因为浏览器可能不信任该站点.您需要打开 Internet 选项(从 Windows 控制面板)->安全选项卡 ->单击受信任的站点"->单击站点"并将 URL 添加到您的站点.IE 和 Chrome 都使用这些设置来决定是否自动发送您的凭据.

1. When you disable anonymous authentication, you get a popup because the browser likely doesn't trust the site. You need to open Internet Options (from the Windows Control Panel) -> Security tab -> Click 'Trusted Sites' -> Click 'Sites' and add the URL to your site there. Both IE and Chrome use those settings for deciding whether to automatically send your credentials.

当您同时启用匿名和 Windows 身份验证时，匿名优先，除非您告诉它用户必须登录.为此，请使用 [Authorize] 属性要么在控制器上，要么只是在单个动作上.文档中有更多详细信息，标题为 允许匿名访问.

When you have both anonymous and Windows authentication enabled, anonymous takes precedence except in places where you tell it that the user must be logged in. To do that, use the [Authorize] attribute either on a controller, or just on individual actions. There are more details in the documentation, under the heading Allow Anonymous Access.

这篇关于Asp.Net Core Windows 身份验证在 IIS 中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！