WinHTTP中的身份认证

WinHTTP中的身份认证

Microsoft Windows HTTP Services (WinHTTP) fully support the client side use of the Microsoft Passport authentication protocol. This topic provides an overview of the transactions involved in Passport authentication and how to handle them.

微软WindowsHTTP服务(WinHTTP)完全支持客户端使用微软身份认证协议。本主题提供一个身份认证和处理的交互过程的概览。

Note  In WinHTTP 5.1, Passport authentication is disabled by default.
注意 WinHTTP5.1中，身份认证默认是禁用的。

Passport  1.4

身份认证1.4

Passport is a core component of the Microsoft .NET building block services. It enables businesses to develop and offer distributed Web services across a wide range of applications and enables its members to use one sign-in name and password at all participating Web sites.

身份认证是Microsoft .NET构建模块的核心组件。它使得跨度很大的应用程序和成员通过使用一个注册名和密码实现分布式web服务这种业务得到发展。

WinHTTP provides platform support for Microsoft Passport 1.4 by implementing the client-side protocol for Passport 1.4 authentication. It frees applications from the details of interacting with the Passport infrastructure and the Stored User Names and Passwords in Windows XP. This abstraction makes using Passport no different from a developer's perspective than using traditional authentication schemes like Basic or Digest.

WinHTTP通过实现客户端1.4版的认证协议提供了一个支持Microsoft Passport 1.4的平台。这就把应用程序从实现认证内部结构和存储的WindowsXP用户名和密码解放出来。这中抽象使得开发者在使用身份认证就如同使用basic或digest等方式一样简单。

Windows XP:  The HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\NumRegistrationRuns registry keyidentifies the number of times the Passport Authentication Wizard is displayed when PassPort authentication is required. If the value for this key is set to a number greater than 5, the wizard is not displayed

Windows XP:  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\NumRegistrationRuns注册键值标明进行身份认证时身份认证向导会显示多少次。如果这个值被设置成大于5的值，向导就不会再运行。

The following sections describe the transactions involved in Passport authentication from the point of view of a client application. For server-side Passport development, see the Passport SDK Documentation Overview.

下列章节从客户端程序描述了包含在身份认证的交互过程。对于服务器端的身份认证部署，查看身份认证SDK文档概述。

• Initial Request
• Passport Login Server
• Authenticated Request

初始化请求

When a client requests a resource on a server that requires Passport authentication, the server checks the request for the presence oftickets. If a valid ticket is sent with the request, the server responds with the requested resource. If theticket does not exist on the client, the server responds with a 302 status code. The response includes the challenge header, "WWW-Authenticate: Passport1.4". Clients that are not using Passport can follow the redirection to the Passport login server. More advanced clients typically contact the Passport nexus to determine the location of the Passport login server.

当客户请求服务器资源需要身份认证时，服务器就检查请求里有没有票据，如果一个有效的票据和请求一起发送了，服务器就会响应请求资源。如果客户端票据不存在，服务器回应302状态码。响应的包含挑战头部，"WWW-Authenticate: Passport1.4"。没有使用票据的客户端会被导向导身份认证服务器。更加先进的客户端通常联系凭证联系来确定身份认证服务器。

Note   Central to the Microsoft Passport network is the Passport Nexus, which facilitates synchronization of Passport participant sites to assure that each site has the latest details on network configuration and other issues. Each Passport component (Passport Manager, Login servers, Update servers, and so on) periodically communicates with the Nexus to retrieve the information it needs to locate, and properly communicate with, the other components in the Passport network. This information is retrieved as an XML document called a Component Configuration Document, or CCD.
注意 微软身份认证网络的中心是身份认证节点，这个节点通过同步认证各参与网站来确保每个站点拥有最新网络配置信息和其他信息。每个身份认证组件（身份认证管理，登录服务器，升级服务器等等）定期与身份认证节点通信来获取需要定位的信息，通信后，其他身份认证组件。这些信息以XML文档形式获取。叫做CCD。

The following image shows the initial request to a Passport affiliate.

服务器登录凭证

A Passport login server handles all requests for tickets for any resource in a Passport domain authority. Before a request can be authenticated using Passport, the client application must contact the login server to obtain the appropriatetickets.

身份认证服务器处理所有的请求资源的请求中的票据。在使用身份认证进行认证之前，用户程序必须先从登录服务器上获取可用的票据。

When a client requests tickets from a Passport login server, the login server typically responds with a 401 status code to indicate that user credentials must be provided. When these credentials are provided, the login server responds with thetickets required to access the specified resource on the server that contains the originally requested resource. The login server can also redirect the client to another server that can provide the requested resource.

当客户从登录服务器请求票据时，登录服务器一般会返回401状态码，指明用户必须提供用户凭证。当用户提供合法凭证后，登录服务器返回请求的票据。登录服务器也可以把客户导向到另外一个包含请求资源的服务器。

请求认证

When the client has the tickets that correspond to a given server, those tickets are included with all requests to that server. If thetickets have not been modified since they were retrieved from the Passport login server, and thetickets are valid for the resource server, the resource server sends a response that includes both the requested resource and cookies that indicate that the user is authenticated for future requests.

当客户有相关服务器的票据，这些票据在所有的请求中都包含。如果这些票据自他们从认证服务器获取后没被更改过，并且这些票据对资源服务器来说是有效的，资源服务器发送一个响应，这个响应包含请求资源和Cookies，这些cookie标识了用户是一个已经认证过的请求，并可在以后的请求中使用。

The additional cookies in the response are intended to speed the authentication process. Additional requests in the same session for resources on servers in the same Passport Domain Authority all include these additional cookies. Credentials do not need to be sent to the login server again until the cookies expire.

附加的Cookies被设计用来加速认证过程。其余的需要在相同身份认证域进行认证的会话中的请求将都包含这些Cookies。凭证再也不用被发送到登录服务器直到Cookie过期。

在WinHTTP中使用身份认证

Passport authentication in WinHTTP is very similar to other authentication schemes. SeeAuthentication in WinHTTP for an overview of authentication in WinHTTP.

WinHTTP的身份认证非常想其他认证机制。查看Authentication in WinHTTP来对WinHTTP认证进行总览。

In WinHTTP 5.1, Passport authentication is disabled by default and must be explicitly enabled withWinHttpSetOption before use.

在WinHTTP4.1中，身份认证默认关闭，如果要使用，必须使用WinHttpSetOption显式地启用。

WinHTTP handles many of the transaction details internally for Passport authentication. During the initial request, the server responds with a 302 status code when authentication is necessary. The 302 status code actually indicates a redirection and is part of the Passport protocol for backwards compatibility. WinHTTP hides the 302 status code and contacts the Passport nexus, and then the login server. The WinHTTP application is notified of the 401 status code sent by the login server to request user credentials. To the application, however, it appears as if the 401 status originates from the server from which the resource was requested. In this way, the WinHTTP application is unaware of interactions with other servers, and it can handle Passport authentication with the same code that handles other authentication schemes.

WinHTTP处理了许多身份认证的内部交互细节。在初始化请求期间，当服务器返回302状态码要求认证时。302状态码其实是一个地址重定向，也是一种向后兼容的体现。WinHTTP隐藏了302状态码并且和身份认证节点继续交互，然后与登录服务器交互。WinHTTP程序收到服务器发来的401状态通知，这个通知告诉用户要提供凭据。然而，对应用程序而言，就好象是它在请求资源时就出现401状态。这样，WinHTTP程序就不用和其他服务器交互，它可以用相同的代码处理其它方式的身份认证。

Typically, a WinHTTP application responds to a 401 status code by supplying authentication credentials. When credentials are supplied withWinHttpSetCredentials or SetCredentials for passport authentication, the credentials are actually being sent to the login server, not to the server indicated in the request.

一般地，WinHTTP程序对401状态码的响应是提供认证凭据。当通过WinHttpSetCredentials 或SetCredentials提供通信凭证后，通信凭证实际是被发送到登录服务器，而不是在请求服务器中指明的服务器。

However, when responding to a 407 status code, a WinHTTP application must use WinHttpSetOption to provide proxy credentials, rather than WinHttpSetCredentials. Because WinHttpSetOption is a less secure way to supply credentials, it should normally be avoided.

然而，当要对407状态做出响应时，WinHTTP程序必须使用WinHttpSetOption来提供代理凭证。而不是使用WinHttpSetCredentials。因为WinHttpSetOption在安全性上稍差，尽量不要使用这个函数。

Once retrieved, tickets are managed internally and are automatically sent to applicable servers in future requests.

一旦获取，票据就被内部管理并且会在以后的请求中会被自动发送到应用服务器。

Note  WinHTTP enables you to disable automatic redirection by calling the WinHttpSetOption function for the WINHTTP_OPTION_DISABLE_FEATURE flag and specifying a value of WINHTTP_DISABLE_REDIRECTS. Disabling redirection does not interfere with the redirection that WinHTTP handles internally for Passport transactions.
注意 WinHTTP使你能够通过 使用WinHttpSetOption函数关闭自动重定向功能，只要设置 WINHTTP_OPTION_DISABLE_FEATURE标志并且指定 WINHTTP_DISABLE_REDIRECTS的值，关闭重定向。关闭重定向不会干扰WinHTTP在身份认证时的内部处理。

WinHTTP can successfully complete the Passport authentication even if an application disables auto redirection. However, after the Passportauthentication is complete, an implicit redirect must occur from the Passportlogin server URL back to the original URL. This redirect is not triggered bya 302 HTTP response, but is implicit in the Passport protocol.

WinHTTP可以成功完成身份认证即使程序关闭自动重定向。然而，在身份认证完成后，一个隐藏的重定向即从身份认证服务器到原始请求URL的必然会发生。这个重定向没有被302HTTP状态码触发，但是隐藏在身份认证协议中。

WinHTTPhandles this implicit redirect specially. If an application has disabledautomatic redirection, WinHTTP requires that the application give WinHTTP"permission" to redirect automatically in this special case.

WinHTTP巧妙地处理了这个隐藏的跳转。如果一个应用程序关闭了自动重定向，WinHTTP要求这个应用程序给WinHTTP权限来在这种情况下完成自动重定向。

In order to have WinHTTP redirect back to the original URL afterauthentication, the application must register a callback function usingWinHttpSetStatusCallback. WinHTTP can then notify the application with aWINHTTP_CALLBACK_STATUS_REDIRECT callback, which allows the application to cancel the redirect. An application does not need to provide any functionality in the callback function; registration of the callback is sufficientto enable WinHTTP to follow this special-case redirect.

为了让WinHTTP在认证完成后重定向回原始的URL，程序必须使用WinHttpSetStatusCallback注册一个回调函数，这样WinHTTP就可以通过一个WINHTTP_CALLBACK_STATUS_REDIRECT通知回调程序，这样就可以允许程序取消重定向。程序无需在回调函数中提供任何功能代码；通过注册这个回调函数就可以让WinHTTP处理这个特定情况下的跳转。

TheERROR_WINHTTP_LOGIN_FAILURE message is generated if a callback function is not setby the application.

如果没有设置成功，程序会收到ERROR_WINHTTP_LOGIN_FAILURE错误消息。

Passport Cobranding

身份认证品牌

Unlike traditional authentication schemes supported by WinHTTP, Passport can be extensivelycobranded. Upon receiving a 401 status code that indicates a challenge, an application can retrieve thecobranding graphic and text. Retrieve a URL for the cobranding graphic by callingWinHttpQueryOption with the WINHTTP_OPTION_PASSPORT_COBRANDING_URL flag. Retrieve thecobranding text by calling WinHttpQueryOption with the WINHTTP_OPTION_PASSPORT_COBRANDING_TEXT flag. These items can be used to customize a credential-gathering dialog.

和WinHTTP支持的传统的机制不同，身份认证可以更广泛地应用。依靠收取401状态来表明收到挑战，程序可以获取扩展的图片或文本，通过使用WINHTTP_OPTION_PASSPORT_COBRANDING_URL标识调用WinHttpQueryOption获取一个URL扩展图片，通过使用WINHTTP_OPTION_PASSPORT_COBRANDING_TEXT标识调用WinHttpQueryOption获取一个URL扩展文本。这些组件可以被用来定制一个凭证收取对话框。

Stored User Names and Passwords

存储的用户名和密码

Windows XP introduced the concept of Stored User Names and Passwords. If a user's Passport credentials are saved through thePassport Registration Wizard or the standard Credential Dialog, it is saved in the Stored User Names and Passwords. When using WinHTTP on Windows XP or later, WinHTTP automatically uses the credentials in the Stored User Names and Passwords if credentials are not explicitly set. This is similar to the support of default logon credentials for NTLM/Kerberos. However, use of default Passport credentials is not subject to the automatic logon policy settings.

Windows XP引入了存储的用户名和密码这一概念。如果用户通过密码注册向导存储或通过标准凭证对话框存储，它就会把存在存储的用户名和密码中。当在Windows XP+上使用WinHTTP时，WindowsHTTP会自动使用存储的凭证（除非显式地禁用）。这和NTLM/Kerberos中的自动登录比较像。不过，使用默认的密码凭证不守自动登录策略影响。

Disabling Passport Authentication

禁用身份认证

Some applications might require the ability to disable Passport authentication. For example, when a Passport affiliate responds with the initial 302 status code, it might be preferable to follow the indicated redirection and render the HTML Passport authentication page rather than allowing WinHTTP to handle the authentication internally.Passport authentication is disabled in WinHTTP by calling theWinHttpSetOption function with the WINHTTP_OPTION_CONFIGURE_PASSPORT_AUTH option and passing the value WINHTTP_DISABLE_PASSPORT_AUTH. It can later be re-enabled with WINHTTP_ENABLE_PASSPORT_AUTH.

一些应用可能要求关闭身份认证的能力。例如，当身份认证响应返回一个初始的302状态码，它有可能是要让用户通过HTML身份认证而不是通过WinHTTP来内部处理。使用WinHttpSetOption并设置WINHTTP_OPTION_CONFIGURE_PASSPORT_AUTH参数来禁用身份认证，想要恢复，使用WINHTTP_ENABLE_PASSPORT_AUTH参数设置回来即可。

Passport authentication cannot be disabled when using the WinHttpRequest object.

当使用WinHttpRequest对象时身份认证不可以被禁用。

As noted earlier in this section, Passport authentication is disabled by default in WinHTTP 5.1, and must be explicitly enabled withWinHttpSetOption before use.

像本节早先提到的，WinHTTP5.1中默认禁用身份认证，可以使用WinHttpSetOption启用。

Passport Configuration Overrides Used for Testing

重写身份认证设置来验证测试

WinHTTP relies on the configuration information it downloads from the passport nexus server to support Passport 1.4 authentication. By default this secure (SSL) server is nexus.passport.com, and the configuration resource is rdr/pprdr.asp, which is known as the "live" passport configuration. The format of the information is a custom HTTP header "PassportURLs", followed by comma delimited attribute-value pairs.

WinHTTP根据它从认证节点服务器上下载的配置信息来支持1.4版的身份认证。默认的SSL服务器是nexus.passport.com，配置资源是被称为实时身份认证设置的rdr/pprdr.asp，信息格式是客户定制的HTTP头部"PassportURLs"，这些信息使用逗号分隔的属性对标识。

For example, "https://nexus.passport.com/rdr/pprdr.asp" returns the following configuration information:

例如："https://nexus.passport.com/rdr/pprdr.asp"返回下列配置信息：

PassportURLs: DARealm=Passport.net,
DALogin=login.passport.com/login2.asp,
DAReg=http://register.passport.com/defaultwiz.asp,
Properties=https://memberservices.passport.com/ppsecure/MSRV_EditProfile.asp,
Privacy=http://www.passport.com/consumer/privacypolicy.asp,
GeneralRedir=http://nexusrdr.passport.com/redir.asp,
Help=http://memberservices.passport.com/UI/MSRV_UI_Help.asp,
ConfigVersion=2
\r\n

The parts that are relevant to WinHTTP are DARealm, DALogin, and ConfigVersion. For performance reasons, they are cached for the lifetime of a WinHTTP session. These three values can be overridden by applications that are required to work with another passport infrastructure other than the "live" production setup by changing the appropriate registry settings under

和WinHTTP相关的是DARealm, DALogin, and ConfigVersion.出于性能方面考虑，它们会在会话过程中被缓存。通过修改注册表以下键值，这三个值可以被应用程序重写为使用其它身份认证的程序而不是使用实时应用。

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               Internet Settings
                  WinHttp
                     Passport Test

LoginServerRealm (REG_SZ)    For example: abc.net
LoginServerUrl (REG_SZ)      For example: https://private-login.passport.com/login2.asp
ConfigVersion (REG_DWORD)    For example: 10

If LoginServerUrl is present in the registry, WinHTTP does not contact the nexus server for other configuration values. In this case, LoginServerRealm and ConfigVersion should also be set through the registry to correct values.

如果LoginServerUrl已经存在于注册表，WinHTTP不会根据配置信息与节点服务器交互。在这种情况下LoginServerRealm 和 ConfigVersion键值对就应该被正确设置。

An application may, for testing purposes, be required to download passport configuration from a private nexus server. This can be done by overriding two registry values under

出于测试原因，如果一个应用程序想使用私有的节点服务器来下载配置信息。这可以通过改写以下两个注册表键值完成。

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               Internet Settings
                  WinHttp
                     Passport Test

NexusHost (REG_SZ)    e.g. private-nexus.passport.com
NexusObj(REG_SZ)      e.g. config/passport.asp

Related topics

Authentication in WinHTTP