.NET:从 Windows 身份验证更改为针对 AD 的窗体身份验证
本文关键字:身份验证 AD 窗体 Windows NET | 更新日期: 2023-09-27 18:31:57
我有一个使用Windows身份验证的正常运行的.NET MVC应用程序。由于我们使用共享计算机,Windows 身份验证对我们不起作用;我们需要切换到表单身份验证,但我们仍然希望针对活动目录进行身份验证。我已经阅读了有关此主题的各种教程,但这些教程似乎都不起作用,也没有一个教程显示如何将现有的 Windows 身份验证应用程序转换为对 AD 使用窗体身份验证的应用程序。我需要做什么才能进行此转换?
这是我的应用程序的 web.config:
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="Wellness.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=(LocalDb)'v11.0;Initial Catalog=aspnet-Wellness-20130715090235;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|'aspnet-Wellness-20130715090235.mdf" providerName="System.Data.SqlClient" />
<add name="tt" connectionString="Data Source=(localdb)'v11.0; Initial Catalog=tt-20130805140115; Integrated Security=True; MultipleActiveResultSets=True; AttachDbFilename=|DataDirectory|tt-20130805140115.mdf" providerName="System.Data.SqlClient" />
<add name="WellnessEntities" connectionString="metadata=res://*/Models.WellnessModel.csdl|res://*/Models.WellnessModel.ssdl|res://*/Models.WellnessModel.msl;provider=System.Data.SqlClient;provider connection string="data source=MSSQL;initial catalog=Wellness;persist security info=True;user id=Wellness_User;password=xGopher2008;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
<appSettings>
<add key="webpages:Version" value="2.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="PreserveLoginUrl" value="true" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<httpRuntime maxRequestLength="10240"/>
<customErrors mode="Off"></customErrors>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<authentication mode="Windows" />
<authorization>
<allow roles="b-hive'AllStaff"/>
<deny users="*"/>
</authorization>
<pages controlRenderingCompatibilityVersion="4.0">
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%'Microsoft.NET'Framework'v4.0.30319'aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%'Microsoft.NET'Framework64'v4.0.30319'aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="v11.0" />
</parameters>
</defaultConnectionFactory>
</entityFramework>
<applicationSettings>
<Wellness.Properties.Settings>
<setting name="Setting" serializeAs="String">
<value />
</setting>
</Wellness.Properties.Settings>
</applicationSettings>
</configuration>
您有两个选择。第一,使用提供程序并利用内置框架基础结构。第二,使用目录服务并自己编写所有代码。后者将为您提供完全的控制和灵活性。前者将为您提供易于实施。
使用提供程序:
(1) 在 web.config 中指定表单身份验证:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" timeout="05"/>
</authentication>
(2) 添加 LDAP 连接字符串:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://fqdn.co/DC=fqdn,DC=co"/>
</connectionStrings>
(3) 添加成员资格提供程序(提供上面定义的连接字符串名称):
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
对于提供程序,您必须根据 ASP.Net 版本找出令牌和版本。
(4) 创建一个登录页(登录.aspx,如 forms-auth loginurl 中指定),并使用 asp.net 的登录控件:
<asp:Login ID="LoginUser" runat="server" ....
(5)你很好去。
自己动手:
(1) 在 web.config 中指定表单身份验证:
<authentication mode="Forms">
<forms name=".MyAuth" loginUrl="~/Logon.aspx" defaultUrl="~/Default.aspx" timeout="05">
</forms>
</authentication>
(2)获取System.DirectoryServices
和System.DirectoryServices.AccountManagement
的参考
3)在逻辑层中创建一个身份验证方法(类似于:
<DirectoryServicesPermission(Security.Permissions.SecurityAction.LinkDemand, Unrestricted:=True)> _
Public Shared Function Authenticate(ByVal domainName As String, ByVal userAlias As String, ByVal userPassword As String) As Boolean
Try
Dim context As PrincipalContext = New PrincipalContext(ContextType.Domain, domainName)
If context.ValidateCredentials(userAlias, userPassword, ContextOptions.Negotiate) Then
Return True
Else
Return False
End If
Catch ex As Exception
Throw
End Try
End Function
上面的代码片段是VB中的,因为我对C#不太有信心,但是你明白了。
(4) 创建一个登录页面,并在从代码隐藏登录时调用此方法:
isAuthenticated = LogicLayer.Authenticate(domainName, userName, userPassword)
(5) 如果成功,即 isAuthenticated 返回 true,则设置 forms-auth cookie:
FormsAuthentication.SetAuthCookie(userName, isRememberMe)
(6)你很好去。
注意:
请注意,使用表单身份验证将使您面临安全隐患,因为凭据将通过网络以文本形式传输。您必须自己采取适当的安全措施。SSL将以最简单的方式为您提供帮助。
另请注意,您可能需要处理更多事项,例如<identity impersonate="true" />
以启用从用户帐户而不是应用程序池标识的访问。您还需要在 IIS 中设置anonymous
身份验证。
编辑:
我之前没有注意到你的是一个MVC应用程序。上面的一些要点是特定于 WebForms 的(如控件和代码隐藏)。所以,请忽略它。否则,我希望你明白它背后的想法。
转到 ASP.NET 配置网页,然后转到安全选项卡,您应该能够从那里进行设置。