windows 使用基本和集成身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3356075/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
using both basic and Integrated authentication
提问by Kolten
We would like to use Integrated Windows Authentication if a user accesses our SharePoint site from within our organization, and Basic Authentication (using SSL) when someone tries to authenticate from outside our organization. Reading, it seems IE will try Windows Auth no matter what and ignore Basic Auth from outside our organization. This is undesirable because the user is required to enter in the DOMAIN into the login box (users are notorious for calling our helpdesk about this). Basic Auth allows us to specify a default domain. Windows auth does not do this. Hence the desire to use Basic Auth for outside, Windows Auth for inside.
如果用户从我们组织内部访问我们的 SharePoint 站点,我们希望使用集成 Windows 身份验证,而当有人尝试从我们组织外部进行身份验证时,我们希望使用基本身份验证(使用 SSL)。阅读,似乎 IE 无论如何都会尝试 Windows 身份验证并忽略来自我们组织外部的基本身份验证。这是不可取的,因为用户需要在 DOMAIN 中输入登录框(用户因为此致电我们的帮助台而臭名昭著)。基本身份验证允许我们指定默认域。Windows 身份验证不会这样做。因此希望在外部使用基本身份验证,在内部使用 Windows 身份验证。
What is the solution to enabling Windows Auth inside the network, and Basic Auth outside our network? Do I need to setup two separate sites inside IIS (one for windows auth, another for basic)? Would this require 2 different Host Names?
在网络内启用 Windows 身份验证和在我们网络外启用基本身份验证的解决方案是什么?我是否需要在 IIS 中设置两个单独的站点(一个用于 Windows 身份验证,另一个用于基本)?这是否需要 2 个不同的主机名?
Is there a solution I am not thinking of here?
有没有我在这里没有想到的解决方案?
Thanks all.
谢谢大家。
回答by CodeThug
Assumption: you want to have all users, both internal and external, authenticate against the same Active Directory domain.
假设:您希望所有用户(包括内部用户和外部用户)都针对同一个 Active Directory 域进行身份验证。
If the main goal is for external users to be able to login without typing the domain name, you could use ISA server.
如果主要目标是让外部用户无需键入域名即可登录,则可以使用 ISA 服务器。
You can have internal users connect directly to your Sharepoint server by pointing your internal DNS directly to your sharepoint server. Thus, windows auth would work for them.
通过将内部 DNS 直接指向您的 Sharepoint 服务器,您可以让内部用户直接连接到您的 Sharepoint 服务器。因此,windows auth 对他们有用。
External users could then be pointed to your ISA server (via DNS), and ISA could be configured to show a login page for Sharepoint where no domain name is required. (It's a web form that they are filling out, but the authentication happens against Active Directory).
然后可以将外部用户指向您的 ISA 服务器(通过 DNS),并且可以将 ISA 配置为显示不需要域名的 Sharepoint 登录页面。(这是他们正在填写的 Web 表单,但身份验证是针对 Active Directory 进行的)。
Getting ISA to work in this way is a little tricky, because you have to get the AAM settings in Sharepoint just right. And if you're doing SSL or SQL Reporting Services, it's even more tricky. The main problem is that there are no meaningful error messages telling you what's wrong. But it is possible. :)
让 ISA 以这种方式工作有点棘手,因为您必须在 Sharepoint 中正确设置 AAM。如果您正在使用 SSL 或 SQL Reporting Services,那就更棘手了。主要问题是没有有意义的错误消息告诉您出了什么问题。但这是可能的。:)
We have this set up, and it works great, but it was definitely a pain to get working right.
我们有这个设置,它工作得很好,但要正常工作绝对是一件痛苦的事情。
Tim
回答by kbrimington
Windows auth uses a protocol to negotiate which authentication method will be used. I've been wrong before, but I don't think you can do both without using two separate virtual directories (which can point to the same physical directory, if you choose). The idea is that you configure a different auth mechanism for each.
Windows 身份验证使用协议来协商将使用哪种身份验证方法。我以前错了,但我认为如果不使用两个单独的虚拟目录(可以指向同一个物理目录,如果你选择),你就不能同时做到这两点。这个想法是您为每个配置不同的身份验证机制。
回答by Rob
In order to configure different authentication methods on a SharePoint site (assuming you are talking about at least SharePoint 2007) you will need to extend the web application which results in additional sites created in IIS. You will need different host names, one for internal and one for external.
为了在 SharePoint 站点上配置不同的身份验证方法(假设您至少讨论的是 SharePoint 2007),您需要扩展 Web 应用程序,这会导致在 IIS 中创建其他站点。您将需要不同的主机名,一个用于内部,一个用于外部。
Once extended, Alternate Access Mappings will need to be configured (this is done through Central Admin). Authentication providers can then be configured in the 'Authentication Providers' section in Central Admin. Basic authentication would then be configured for the external site (make sure to use SSL since Basic authentication sends login info in clear text) and the internal site would be configured for integrated Windows authentication. Here are a couple of resources worth noting:
扩展后,需要配置备用访问映射(这是通过中央管理完成的)。然后可以在 Central Admin 的“身份验证提供程序”部分中配置身份验证提供程序。然后将为外部站点配置基本身份验证(确保使用 SSL,因为基本身份验证以明文形式发送登录信息),并将内部站点配置为集成 Windows 身份验证。以下是一些值得注意的资源:
http://technet.microsoft.com/en-us/library/cc262309%28office.12%29.aspxhttp://go.microsoft.com/fwlink/?LinkID=79589
http://technet.microsoft.com/en-us/library/cc262309%28office.12%29.aspx http://go.microsoft.com/fwlink/?LinkID=79589
Hope that helps.
希望有帮助。
