Windows 身份验证和本地数据库用户身份验证 [英] Windows Authentication and local DB user authentication

问题描述

我在我的 MVC 应用程序中使用 Windows 身份验证模拟.当我打开应用程序时，浏览器会显示提示输入凭据并验证域用户.

I am using windows authentication impersonation in my MVC application.when i open the application the browser display a prompt for the credentials and validate the domain users.

但现在我还想在我的应用程序中创建用户，并且还想对存储在我的数据库中的用户进行身份验证.

But now i also want to create user in my application and also want to authenticate that users which is stored in my database.

是否可以通过域用户的 Windows 身份验证来验证应用程序数据库用户.我做了很多研发D对此但还没有找到任何解决方案.我会很感激你的建议.谢谢！

Is it possible to authenticate Application DB users as well with windows authentication for domain users. i did much R & D on this but didn't found any solution yet. I will appreciate your suggestions. Thanks!

推荐答案

如果我理解正确，您希望同时允许 Windows 身份验证和表单身份验证.这不是一件常见的事情，但我已经做到了.我是这样做的:

If I understand you correctly, you want to allow both Windows Authentication and Forms Authentication. This is not a common thing to do, but I have done it. Here is how I did it:

您必须使用表单身份验证作为主要身份验证.因此，像往常一样构建表单身份验证:您有一个登录页面，在提交后，它会验证您数据库中的凭据.棘手的部分是添加 Windows 身份验证.

You have to use forms authentication as your primary authentication. So build the Forms Authentication as you normally would: you have a login page that, after submitting, validates the credentials from your database. The tricky part is adding Windows Authentication.

为此，请在您的身份验证控制器中创建一个使用 Windows 身份验证的操作.对于本示例，我假设您的控制器是 AuthController，我们将调用操作 WinLogin.该操作将如下所示:

To do this, create one action in your authentication controller that uses Windows authentication. For this example, I'll assume your controller is AuthController and we'll call the action WinLogin. That action will look something like this:

[Authorize]
public ActionResult WinLogin() {
    var principal = HttpContext.User;
    if (principal == null || !principal.Identity.IsAuthenticated) {
        //Windows authentication failed
        return new HttpUnauthorizedResult();
    }

    // User is validated, so create the form authentication cookie
    FormsAuthentication.SetAuthCookie(principal.Identity.Name, false);

    return new EmptyResult();
}

它只检查用户是否经过验证，如果是，则使用他们的 AD 用户名设置表单身份验证 cookie.

It just checks if the user is validated and, if so, sets the Forms Authentication cookie with their AD username.

为了使用 Windows 身份验证，您必须更新您的 web.config 以告诉它仅对一项操作使用 Windows 身份验证.您可以使用 标签来实现:

For that to use Windows Authentication, you have to update your web.config to tell it to use Windows Authentication for only that one action. You do that with a <location> tag:

<location path="Auth/WinLogin">
    <system.webServer>
      <security>
        <authentication>
          <windowsAuthentication enabled="true" />
          <anonymousAuthentication enabled="false" />
        </authentication>
      </security>
    </system.webServer>
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
</location>

默认情况下，IIS 不允许您在配置中的此位置更改身份验证方法.您需要更新 IIS 管理器中的功能委派"以允许它.

By default, IIS won't let you change the authentication method at this place in the config. You need to update the "Feature Delegation" in IIS Manager to allow it.

1. 在 IIS 管理器中，单击左侧的服务器名称.
2. 在右侧，双击管理"部分下的功能委托".
3. 将身份验证 - 匿名"和身份验证 - Windows"都更改为读/写".

如果您使用 IIS Express 进行调试，您必须为此做类似的事情:

If you use IIS Express for debugging, you have to do something similar for that:

1. 在项目文件夹中，打开文件 .vsconfigapplicationhost.config.
2. 修改这两行，使其显示"Allow":

<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />

接下来更新您的登录页面以默认隐藏用户名和密码字段(假设它们位于 ID 为 loginBox 的框内).这个想法是您对 WinLogin 操作执行 AJAX 请求，如果成功，那么您将用户转发到主页或他们试图访问的任何页面.如果你使用 jQuery，它看起来像这样:

Next update your login page to hide the username and password fields by default (let's say they are inside a box with an id of loginBox). The idea is that you perform an AJAX request to the WinLogin action, and if that succeeds, then you forward the user on to the main page or whichever page they were trying to go to. If you use jQuery, that will look something like this:

$.get("@Url.Action("WinLogin", "Auth")")
    .done(function() {
        //success! forward to the page they want
        window.location.replace(returnUrl);
    }).fail(function() {
        //failed - show manual login prompt
        $("#loginBox").show();
    });
});

只要您的网站已经是受信任的网站(如果您现在已经使用了 Windows 身份验证，我假设也是如此)，那么 Windows 身份验证将在该 AJAX GET 请求期间发生.

As long as your website is already a trusted website (which I assume so if you already have Windows Authentication working now), then the Windows Authentication will happen during that AJAX GET request.

注意window.location 的使用.replace()，它不会将登录页面添加到浏览器历史记录中，因此如果用户点击后退按钮，他们不会返回登录页面.它让事情变得更加无缝.

Notice the use of window.location.replace(), which will not add the login page to the browser history, so if the user then hits the back button, they do not come back to the login page. It makes things a little more seamless.

您还可以添加一个加载圆圈或其他内容来指示用户应该在 GET 发生时等待，但您可以决定.

You could also add a loading circle or something to indicate that the user should wait while that GET happens, but you can decide that.

有了这一切，用户体验应该是:

With all this in place, the user experience should be:

1. 他们访问一个页面.
2. 它们未经身份验证，因此会被重定向到登录页面.
3. 登录页面在后台尝试 Windows 身份验证.
4. 如果 Windows 身份验证成功，它们会自动重定向回所需的页面.
5. 如果 Windows 身份验证失败，则会出现用户名和密码框，他们可以手动登录.

这篇关于Windows 身份验证和本地数据库用户身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！