问题描述
我的ASP.Net Core MVC应用程序通过IdentityServer访问.Net Core API。它在使用基于Entity Framework的身份存储的进程中运行的IIS服务器上运行良好。现在,我试图启用Windows身份验证并陷入此处。
我尝试遵循Identityserver文档“ Windows身份验证”部分-我将以下代码添加到IdentityServer的Startup.cs的ConfigureServices中。
// configures IIS in-proc settings
services.Configure<IISServerOptions>(iis =>
{
iis.AuthenticationdisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
我还为我的API应用启用了IIS中的Windows身份验证
我很困惑的文档部分是“您通过在Windows方案上调用ChallengeAsync触发Windows身份验证”。它没有提及您在哪里进行操作。我假设它在Identityserver中,并将代码放在下面的IdentityServer的AccountController的Login方法中。
/// <summary>
/// Entry point into the login workflow
/// </summary>
[HttpGet]
public async Task<IActionResult> Login(string returnUrl)
{
// trigger Windows authentication by calling ChallengeAsync
await ChallengeWindowsAsync(returnUrl);
// build a model so we kNow what to show on the login page
var vm = await BuildLoginviewmodelAsync(returnUrl);
if (vm.IsExternalLoginonly)
{
// we only have one option for logging in and it's an external provider
return RedirectToAction("Challenge","External",new { scheme = vm.ExternalLoginScheme,returnUrl });
}
return View(vm);
}
private async Task<IActionResult> ChallengeWindowsAsync(string returnUrl)
{
// see if windows auth has already been requested and succeeded
var result = await HttpContext.AuthenticateAsync("Windows");
if (result?.Principal is WindowsPrincipal wp)
{
// we will issue the external cookie and then redirect the
// user back to the external callback,in essence,treating windows
// auth the same as any other external authentication mechanism
var props = new AuthenticationProperties()
{
RedirectUri = Url.Action("Callback"),Items =
{
{ "returnUrl",returnUrl },{ "scheme","Windows" },}
};
var id = new ClaimsIdentity("Windows");
// the sid is a good sub value
id.AddClaim(new Claim(JwtClaimTypes.Subject,wp.FindFirst(ClaimTypes.PrimarySid).Value));
// the account name is the closest we have to a display name
id.AddClaim(new Claim(JwtClaimTypes.Name,wp.Identity.Name));
// add the groups as claims -- be careful if the number of groups is too large
var wi = wp.Identity as WindowsIdentity;
// translate group SIDs to display names
var groups = wi.Groups.Translate(typeof(NTAccount));
var roles = groups.Select(x => new Claim(JwtClaimTypes.Role,x.Value));
id.AddClaims(roles);
await HttpContext.SignInAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme,new ClaimsPrincipal(id),props);
return Redirect(props.RedirectUri);
}
else
{
// trigger windows auth
// since windows auth don't support the redirect uri,// this URL is re-triggered when we call challenge
return Challenge("Windows");
}
}
如果一切顺利,我希望发生的事情是身份验证会自动进行(没有登录框?),因为“挑战”调用将要求客户端(浏览器)发送Windows身份信息和令牌将基于此发行。
现在似乎无法正常工作-启动MVC应用时,我从API收到未经授权的错误:
我在错误的地方吗?还是我想念其他东西?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)