如何剃刀做Active Directory验证(CSHTML) [英] How to do Active Directory authentication in Razor (cshtml)
问题描述
我做了一个简单的网站,剃刀。目前,我有基于数据库的身份验证的工作原理如下:
I am doing a simple website with Razor. Currently, I have database-based authentication that works, as follows:
在_AppStart.chtml:
In _AppStart.chtml:
WebSecurity.InitializeDatabaseConnection("db_connection",
"users", "id", "username", true);
在login.cshtml页:
In login.cshtml page:
username = Request["username"];
password = Request["password"];
if (WebSecurity.Login(username, password, true))
{
Response.Redirect("/admin");
}
else
{
errorMessage = "Login was not successful.";
}
在受保护的CSHTML页,我有以下在页面的顶部:
In protected CSHTML pages, I have the following at the top of a page:
if (!WebSecurity.IsAuthenticated)
{
Response.Redirect("/login.cshtml");
}
一切是pretty的简单和行之有效的。现在,我想补充的AD认证。我不知道该怎么做。
Everything is pretty simple and works well. Now I would like to add authentication with AD. I don't know how to do it.
我从Java世界,具有多年的经验。对于这个简单的网站,我不需要的MVC架构。我需要类似上面的(如果可能)简单的事情。我只是需要在login.cshtml文件中做认证。我用Google搜索了很多,但无法找到一个教程(这样我可以复制和粘贴),我需要的东西。
I came from the Java world with many years of experience. For this simple website, I do not need MVC architecture. I need simple things similar to the above (if possible). I need to do authentication just within the login.cshtml file. I googled a lot and am unable to find a tutorial (so that I can copy and paste) for what I need.
任何指针或帮助确实是AP preciated!
Any pointers or help is really appreciated!
感谢和问候
更新:此应用程序在内部网络上坐
更新2:这里是code我已经在成功实施X3074861X的code
if (IsPost)
{
username = Request["username"];
password = Request["password"];
var domain = "domain";
var host = "host";
var port = "389";
LdapConnection ldapConnection = new LdapConnection(host + ":" + port);
try
{
// authenticate the username and password
using (ldapConnection)
{
// pass in the network creds, and the domain.
var networkCredential = new NetworkCredential(username, password, domain);
// if we're using unsecured port 389, set to false. If using port 636, set this to true.
ldapConnection.SessionOptions.SecureSocketLayer = false;
// since this is an internal application, just accept the certificate either way
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
// to force NTLM\Kerberos use AuthType.Negotiate, for non-TLS and unsecured, just use AuthType.Basic
ldapConnection.AuthType = AuthType.Basic;
// this is where the authentication occurs
ldapConnection.Bind(networkCredential);
//check local database to make sure the user is one of we allowed
if (WebSecurity.Login(username, "fixed-password, just to check whether someone is on the list of allowed people", true))
{
Response.Redirect("/admin");
}
else
{
errorMessage = "Login was not successful.";
}
}
}
catch (LdapException exception)
{
//Authentication failed, exception will dictate why
errorMessage = "Login was not successful.";
}
一些解释。我没有在AD控制,所以我只能对着它验证用户身份。我还是有一点本地数据库,表明谁可以访问应用程序。每个人都能够访问应用程序有同样的权利。
Some explanation. I dont have control over the AD and so I can only authenticate users against it. I still have a little local database that indicates who can access the app. Everyone with access to the app has the same rights.
感谢并归功于X3074861X。
推荐答案
由于这是一个内部应用程序,而你正在寻找一些简单的,我会考虑写一个类来做Active Directory身份验证。你将需要几件事情,虽然,为了使这项工作:
Since this is an internal application, and you're looking for something simple, I would consider writing a single class to do the Active Directory authentication. You're going to need a couple things though, in order for this to work :
- 在您的项目中引用
System.DirectoryServices.Protocols
。 - 的IP或Active Directory服务器的DNS名称。我们将称之为
主机
在code以下。 - 在它上运行的端口(LDAPS将端口636,基本的LDAP将端口389)。我们将称之为
端口
在code以下。 - 你的用户所属的域名。我们将称之为
域
在下面的code。
- A reference to
System.DirectoryServices.Protocols
in your project. - The IP or DNS name of your Active Directory server. We'll call it
host
in the code below. - The port it's running on (LDAPS will be port 636, basic LDAP will be port 389). We'll call it
port
in the code below. - The Domain to which your users belong. We'll call it
domain
in the code below.
现在,你有,你就可以这样组装起来,从对你的AD实例要求检查证件。我会尝试这样的:
Now that you have that, you can wire this up to check the credentials from the request against your AD instance. I would try something like this :
// the username and password to authenticate
username = Request["username"];
password = Request["password"];
// define your connection
LdapConnection ldapConnection = new LdapConnection("host:port");
try
{
// authenticate the username and password
using (ldapConnection)
{
// pass in the network creds, and the domain.
var networkCredential = new NetworkCredential(username, password, domain);
// if we're using unsecured port 389, set to false. If using port 636, set this to true.
ldapConnection.SessionOptions.SecureSocketLayer = false;
// since this is an internal application, just accept the certificate either way
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
// to force NTLM\Kerberos use AuthType.Negotiate, for non-TLS and unsecured, just use AuthType.Basic
ldapConnection.AuthType = AuthType.Basic;
// authenticate the user
ldapConnection.Bind(networkCredential);
}
catch (LdapException ldapException)
{
//Authentication failed, exception will dictate why
}
}
此外,以同样的方式,你会传达一个授权的问题前, ldapException
可以告诉你调用失败的原因。如果你想显示自定义的消息,我会检查 LdapException.Error code
属性,也许创建返回消息的基础上的错误codeS 。
Also, in the same way you'd communicate an authorization issue before, the ldapException
can tell you why the call failed. If you want to display custom messaging, I would check the LdapException.ErrorCode
property, and maybe create a case statement of return messages based on the error codes.
或者,你可以只输出 LdapException.Message
直接到页 - 无论哪种方式,这至少会决定用户为什么他们的登录名没有工作。
Or, you could just output LdapException.Message
directly to the page - either way, that will at least dictate to the user why their login didn't work.
这篇关于如何剃刀做Active Directory验证(CSHTML)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!