使用集成的 Windows 身份验证接收登录提示 [英] Receiving login prompt using integrated windows authentication
问题描述
我有一个 .NET 3.5 应用程序在 Windows 2003 服务器上的 IIS 7 下运行,并且无法使集成的 Windows 身份验证正常工作,因为我继续收到登录提示.我已在 IIS 中将 Windows 身份验证设置为在禁用所有其他安全类型的情况下启用,并且我的应用程序 web.config 文件身份验证/授权设置为:
I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="3.5" />
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>
通过此设置,我希望对 Windows 用户进行幕后验证,以允许访问和拒绝匿名用户.但是,当我尝试访问该站点时,我得到的是一个 Windows 登录弹出窗口.
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
我已经解决这个问题好几天了,但无法找出问题所在.根据有类似问题的帖子,我确认我的 URL 不包含任何句点,仔细检查我的 IE 设置是否设置为启用集成 Windows 身份验证,并将我的 URL 添加到我的 Intranet 站点,但仍然收到弹出窗口.
I have been troubleshooting this issue for a few days now and cannot figure out the problem. Based on posts with similar problems, I confirmed my URL does not include any periods, double checked that my IE settings are set to Enable Integrated Windows Authentication, and also added my URL to my intranet sites, but still getting the pop-up.
为了进一步解决问题,我在 IIS 中启用了匿名身份验证并修改了我的 web.config 文件,让我直接进入,然后添加了 Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) 尝试查看身份验证中使用的用户.我得到的结果是 IIS APPPOOLmyapp,这显然是我的应用程序的 IIS 应用程序池.
To troubleshoot it further, I enabled Anonymous Authentication in IIS and modified my web.config file to which lets me right in and then added Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) to try to see what user is being used in the authentication. The result I'm getting is IIS APPPOOLmyapp which is obviously the IIS application pool for my application.
我真的很感谢任何人都可以提供的任何帮助,因此我仍然只使用 Windows 身份验证,但没有弹出窗口,并且 Windows 身份验证是针对实际的 Windows 用户执行的.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
谢谢.
进一步故障排除后的附加说明:
Additional note after troubleshooting further:
刚刚注意到,当登录失败并再次显示 Windows 登录提示时,它显示尝试登录的用户名是SERVERNAME"USERNAME",这让我相信它正在尝试针对服务器验证用户与域.为了确认这一点,我直接在应用服务器上创建了一个与网域用户相同的用户名和密码的本地用户帐户,并尝试再次登录.结果我又收到了登录提示,但是这次输入用户名和密码就可以成功登录了.网络用户和应用服务器在同一个域中,所以真的不知道为什么 IIS 身份验证指向本地应用服务器帐户而不是域帐户.我意识到此时这是一个 IIS 问题,因此也在 forums.iis.net 上发帖,但感谢任何人提供的任何建议,因为这些天已经解决了这个问题.
Just noticed that when the login fails and the Windows login prompt displays again, it is showing the username that attempted to login as "SERVERNAME""USERNAME" which led me to believe it was trying to validate the user against the server vs. the domain. To confirm this, I created a local user account directly on the app server with the same username and password as the network domain user and tried to login again. The result was that I received the login prompt again but when I entered the username and password this time, I was able to successfully login. The network user and app server are on the same domain so really not sure why IIS authentication is pointing to the local app server accounts and not to the domain accounts. I realize this is an IIS question at this point so posting on forums.iis.net as well but appreciate any advice anyone may have since have been troubleshooting this for days.
推荐答案
我有一个正在处理的 Windows 2008 服务器,所以我的答案与 OP 在 Windows 2003 服务器上的答案并不完全相同.
I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.
这就是我所做的(在这里记录下来,以便我以后可以找到).
Here is what I did (recording this here so I can find it later).
我遇到了同样的问题:
在我的 Web.config 文件中,我有这个部分:
In my Web.config file, I had this section:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
在 IIS 下,所有这些似乎都在 Authentication 图标下解决了.
Under IIS, all of these seems to be solved under the Authentication icon.
- 编辑权限:确保您的 ASP.NET 帐户具有权限.我的不是最初添加的.
现在进入身份验证的功能:
使用IUSR启用匿名身份验证:
启用Windows 身份验证,然后右键单击以设置提供程序.
Enable Windows Authentication, then Right-Click to set the Providers.
NTLM 必须是第一!
接下来,检查高级设置...下的扩展保护是否为接受和启用内核模式身份验证强> 已检查:
Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:
完成此操作后,我返回到我的 Web 应用程序,单击浏览"链接并登录,而无需再次提供我的凭据.
Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.
我希望这对你们中的许多人有益,我希望它以后对我也有用.
I hope this proves beneficial to many of you, and I hope it is useful for me later as well.
这篇关于使用集成的 Windows 身份验证接收登录提示的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
