匿名前的 IIS Windows 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2068546/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
IIS Windows Authentication before Anonymous
提问by Phill
I have a website that I would like to allow both Forms and Windows Auth for. My problem is that it seems that when you setup IIS to allow both anonymous (Required for forms auth) and Windows auth that the browser won't send the user's network credentials.
我有一个网站,我想同时允许 Forms 和 Windows Auth。我的问题是,当您设置 IIS 以允许匿名(表单身份验证所需)和 Windows 身份验证时,浏览器似乎不会发送用户的网络凭据。
It just uses the anonymous login. Is there any way either in IE8 or IIS to have it try Windows Auth 1st and then fall back to Anonymous?
它只是使用匿名登录。有没有办法在 IE8 或 IIS 中让它尝试 Windows Auth 1st 然后回退到匿名?
Thanks for any help.
谢谢你的帮助。
回答by bobince
You can't ask for HTTP authentication (whether that's Basic Authentication or Integrated Windows Authentication) without causing the authentication dialogue box to pop in the case where there are no credentials yet.
在没有凭据的情况下,您不能要求 HTTP 身份验证(无论是基本身份验证还是集成 Windows 身份验证)而不导致身份验证对话框弹出。
So in general for hybrid HTTP-auth+cookie-auth approaches you enable both anonymous and authenticated access for the bulk of the site, but allow only authenticated access to one particular script.
因此,一般来说,对于混合 HTTP-auth+cookie-auth 方法,您可以为大部分站点启用匿名访问和身份验证访问,但只允许对一个特定脚本的身份验证访问。
When the user accesses a page without either kind of auth, you spit out a page with a login form for the cookie-based auth, and also a link to the one URL that allows only authenticated access. The user can fill out the form for cookies&forms auth, or hit the link to log in with HTTP auth instead.
当用户在没有任何一种身份验证的情况下访问页面时,您会吐出一个页面,其中包含一个基于 cookie 的身份验证的登录表单,以及一个指向仅允许经过身份验证的访问的 URL 的链接。用户可以填写cookies&forms auth的表单,或者点击链接使用HTTP auth登录。
If the user follows that link, they will be given a 401response and must provide HTTP authentication, either through the auth dialog, or potentially automatically using integrated Windows authentication. Once this has happened once, the browser will start submitting the same credentials to every future page, so IIS will decode the credentials to give you the expected REMOTE_USERwhen your main site scripts are run.
如果用户点击该链接,他们将收到401响应,并且必须通过身份验证对话框或可能自动使用集成的 Windows 身份验证提供 HTTP 身份验证。一旦这种情况发生一次,浏览器将开始向以后的每个页面提交相同的凭据,因此 IIS 将对凭据进行解码,以便REMOTE_USER在主站点脚本运行时为您提供预期的信息。
Browsers will only submit the credentials to pages in the same directory as the 401script, or subdirectories of this. For this reason it is best to put the HTTP-auth-required script in the root, for example as /login.aspx.
浏览器只会将凭据提交到与401脚本相同目录中的页面,或者它的子目录。出于这个原因,最好将 HTTP-auth-required 脚本放在根目录中,例如作为/login.aspx.
However, there are a few browsers that won't automatically submit credentials for further pages, and require every HTTP request to respond 401first, before sending the request again with credentials. This makes optional-auth and hybrid-auth schemes impossible (as well as making browsing of protected sites much slower!). The only modern browser that does this is Safari. You may not care, as Safari's support for Integrated Windows Authentication has traditionally been shaky anyway, and it can still use the forms+cookies auth type.
但是,有一些浏览器不会自动为更多页面提交凭据,并且要求每个 HTTP 请求都首先响应401,然后再使用凭据再次发送请求。这使得可选身份验证和混合身份验证方案变得不可能(以及使受保护站点的浏览速度变慢!)。唯一能做到这一点的现代浏览器是 Safari。您可能不在乎,因为 Safari 对集成 Windows 身份验证的支持在传统上一直不稳定,它仍然可以使用表单+cookies 身份验证类型。
