Asp.net 2.0 Windows Authentication

最新推荐文章于 2021-12-17 17:04:37 发布
最新推荐文章于 2021-12-17 17:04:37 发布
阅读量1.3k 收藏
点赞数
分类专栏: .NET

http://msdn.microsoft.com/en-us/library/ff647076.aspx

IIS Authentication

When ASP.NET is configured for Windows authentication, it relies on IIS to authenticate its clients using the configured authentication mode. IIS determines the authentication mode for a particular application by examining its metabase settings. After successfully authenticating a user, IIS passes the Windows token representing the authenticated user to the ASP.NET worker process (w3wp.exe) in which the ASP.NET application is hosted. If your application uses a virtual directory that is configured in IIS to support anonymous access, the token represents the anonymous Internet user account; otherwise, the token represents the authenticated user.

IIS supports the following modes of authentication:

  • Anonymous. If you do not need to authenticate your clients (or you use a custom authentication mechanism, such as forms authentication), you can configure IIS to allow anonymous access. In this event, IIS creates a Windows token to represent all anonymous users with the same anonymous (or guest) account. The default anonymous account is IUSR_MACHINENAME, where MACHINENAME is the NetBIOS name of the computer that was specified during installation.
  • Basic. Basic authentication requires the user to supply credentials in the form of a user name and password to prove their identity. Basic authentication is based on the Internet standard RFC 2617, and is supported by all popular browsers. The user's credentials are transmitted from the browser to the Web server in an unencrypted Base64-encoded format. To help protect the credentials, you should only use basic authentication with Secure Sockets Layer (SSL). Because the Web server obtains the user's credentials unencrypted, ASP.NET applications can impersonate the caller and use their credentials to access network resources.
.......


ASP.NET Authentication

IIS passes to ASP.NET the token that represents the authenticated user or anonymous user account. This token is maintained inside an IIdentity object that is contained inside an IPrincipal object, which, in turn, is attached to the current Web request thread. The IPrincipal and IIdentity objects can be accessed through the HttpContext.User property. These objects and this property are set by authentication modules, which are implemented as HTTP modules and invoked as a standard part of the ASP.NET pipeline, which is shown in Figure 3.

Ff647076.refaspnetpipelineprocessing(en-us,PandP.10).gif

Figure 3. ASP.NET pipeline

The ASP.NET pipeline model consists of an HttpApplication object, various HTTP module objects, and an HTTP handler object, along with their associated factory objects. An HttpRuntime object is used at the start of the processing sequence. Throughout the request life cycle, an HttpContext object is used to convey details about the request and response.

For more information about the ASP.NET request life cycle, see "ASP.NET Life Cycle" at http://msdn.microsoft.com/en-us/library/ms227435(VS.80).aspx.

Authentication Modules

ASP.NET 2.0 defines a set of HTTP modules in the machine-level Web.config file. These include a number of authentication modules as shown here:

<httpModules>

  <add name="WindowsAuthentication"
    type="System.Web.Security.WindowsAuthenticationModule" />
  <add name="FormsAuthentication" 
    type="System.Web.Security.FormsAuthenticationModule" />
  <add name="PassportAuthentication" 
    type="System.Web.Security.PassportAuthenticationModule" />

</httpModules>

Only one authentication module is loaded, and this is dependent on which authentication mode has been specified in the authentication element of the configuration file. The authentication module creates an IPrincipal object and stores it in the HttpContext.User property. This is vital because other authorization modules use this IPrincipal object to make authorization decisions.

When anonymous access is enabled in IIS and the mode attribute of the authentication element is set to none, there is a special module that puts a default anonymous principal into the HttpContext.User property. As a result, HttpContext.User is never a null reference (Nothing in Visual Basic) after authentication.

WindowsAuthenticationModule

The WindowsAuthenticationModule class is activated when the following element is in the Web.config file.

<authentication mode="Windows" />

The WindowsAuthenticationModule class is responsible for creating WindowsPrincipal and WindowsIdentity objects to represent the authenticated user, and for attaching these objects to the current Web request.

For Windows authentication, the following sequence occurs:

  1. The WindowsAuthenticationModule class creates a WindowsPrincipal object using the Windows access token that is passed from IIS to ASP.NET. This token is wrapped in the WorkerRequest property of the HttpContext class. When the AuthenticateRequest event is raised, theWindowsAuthenticationModule retrieves the token from the HttpContext class and creates the WindowsPrincipal object. The HttpContext.Userproperty is set with this WindowsPrincipal object and represents the security context of the authenticated user for all authorization modules and ASP.NET pages.
  2. The WindowsAuthenticationModule class uses P/Invoke to call Win32 functions and obtain the list of Windows groups to which the user belongs. These groups are used to populate the WindowsPrincipal role list.
  3. The WindowsAuthenticationModule class stores the WindowsPrincipal object in the HttpContext.User property. This is subsequently used by authorization modules to authorize the authenticated user.
Note: The  DefaultAuthenticationModule class, which is also part of the ASP.NET pipeline, sets the  Thread.CurrentPrincipal property to the same value as the  HttpContext.User property. It does so after the  AuthenticateRequest event is handled.

Authorization Modules

After the WindowsAuthenticationModule class has finished its processing, the authorization modules are called if the request has not been rejected. The authorization modules are also defined in the httpModules element in the machine-level Web.config file as shown here:

<httpModules>
  <add name="UrlAuthorization" 
    type="System.Web.Security.UrlAuthorizationModule" />
  <add name="FileAuthorization" 
    type="System.Web.Security.FileAuthorizationModule" />
  <add name="AnonymousIdentification" 
    type="System.Web.Security.AnonymousIdentificationModule" />
</httpModules>
UrlAuthorizationModule

When the UrlAuthorizationModule class is called, it checks for an authorization element in either the machine-level or application-specific Web.config file. If present, the UrlAuthorizationModule class retrieves the IPrincipal object from the HttpContext.User property, and then determines whether the user is authorized to access the requested resource by using the specified verb (GET, POST, and so on).

FileAuthorizationModule

Next, the FileAuthorizationModule class is called. It checks whether the IIdentity object in the HttpContext.User.Identity property is an instance of theWindowsIdentity class. If the IIdentity object is not an instance of the WindowsIdentity class, then the FileAuthorizationModule class stops processing.

If an instance of the WindowsIdentity class is present, the FileAuthorizationModule class calls the AccessCheck Win32 function (through P/Invoke) to determine whether the authenticated client is authorized to access the requested file. If the file's security descriptor contains at least a Read Access Control Entry (ACE) in its Discretionary Access Control List (DACL), the request is allowed to proceed. Otherwise, the FileAuthorizationModule class calls theHttpApplication.CompleteRequest method and returns a 401 status code to the client.

Security Context

The .NET Framework encapsulates Windows tokens and logon sessions with the following two interfaces:

  • System.Security.Principal.IPrincipal
  • System.Security.Principal.IIdentity (This is exposed as a property in the IPrincipal interface.)

HttpContext.User

In ASP.NET, the security context of a user that is authenticated with Windows authentication is represented by the WindowsPrincipal and WindowsIdentityclasses. ASP.NET applications that use Windows authentication can access the WindowsPrincipal class through the HttpContext.User property.

To retrieve the security context of the Windows authenticated user that initiated the current request, use the following code:

using System.Security.Principal;
...
// Obtain the authenticated user's Identity
WindowsPrincipal winPrincipal = (WindowsPrincipal)HttpContext.Current.User;

WindowsIdentity.GetCurrent

The WindowsIdentity.GetCurrent method can be used to obtain the identity of the security context of the Win32 thread that is currently running. Without impersonation, the thread inherits the security context of the process on IIS 6.0, which is the NetworkService account by default.

This security context is used when accessing local resources. You can override this security context with impersonation by using either the original authenticated user's security context or by using a fixed identity.

To retrieve the security context under which the application is running, use the following code:

using System.Security.Principal;
...
// Obtain the authenticated user's identity.
WindowsIdentity winId = WindowsIdentity.GetCurrent();
WindowsPrincipal winPrincipal = new WindowsPrincipal(winId);

Thread.CurrentPrincipal

Each thread in an ASP.NET application exposes a CurrentPrincipal object, which holds the original authenticated user's security context. This security context can be used for role-based authorization.

To retrieve the thread's current principal, use following code:

using System.Security.Principal;
...
// Obtain the authenticated user's identity
WindowsPrincipal winPrincipal = (WindowsPrincipal) Thread.CurrentPrincipal();

Table 1 shows the resulting identities that are obtained from the various identity properties available to ASP.NET application code when your application uses Windows authentication and IIS is configured to use Integrated Windows authentication.

Table 1: Thread Exposed CurrentPrincipal Object

Web.config settings Variable location Resultant identity
<identity impersonate="true"/>
<authentication mode="Windows" />		 HttpContext
WindowsIdentity
Thread		 Domain\UserName
Domain\UserName
Domain\UserName
<identity impersonate="false"/>
<authentication mode="Windows" />		 HttpContext
WindowsIdentity
Thread		 Domain\UserName
NT AUTHORITY\NETWORK SERVICE
Domain\UserName
<identity impersonate="true"/>
<authentication mode="Forms" />		 HttpContext
WindowsIdentity
Thread		 Name provided by user
Domain\UserName
Name provided by user
<identity impersonate="false"/>
<authentication mode="Forms" />		 HttpContext
WindowsIdentity
Thread		 Name provided by user
NT AUTHORITY\NETWORK SERVICE
Name provided by user

Impersonation

An ASP.NET application can use impersonation to perform operations and access resources with the security context of the authenticated client or of a specific Windows account.

Original User Impersonation

To impersonate the original (authenticated) user, use the following configuration in the Web.config file:

<authentication mode="Windows" />
<identity impersonate="true" />

With this configuration, ASP.NET always impersonates the authenticated user, and all resource access is performed using the authenticated user's security context. If anonymous access is enabled on your application's virtual directory, the IUSR_MACHINENAME account is impersonated.

To temporarily impersonate the authenticated caller, set the impersonate attribute of the identity element to false, and then use the following code:

using System.Security.Principal;
...
// Obtain the authenticated user's identity.
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
    // Start impersonating.
    ctx = winId.Impersonate();
    // Now impersonating.
    // Access resources using the identity of the authenticated user.
}
// Prevent exceptions from propagating.
catch
{
}
finally
{
    // Revert impersonation.
    if (ctx != null)
        ctx.Undo();
}
// Back to running under the default ASP.NET process identity.

This code impersonates the original authenticated user. The original user's identity and Windows token are maintained in theHttpContext.Current.User.Identity object.

Fixed Identity Impersonation

If you need to impersonate the same identity throughout the lifetime of your application, you can specify credentials on the identity element in your Web.config file. The following example shows how to impersonate a Windows account named "TestUser".

<identity impersonate="true" username="TestUser" password="P@ssw0rd" />

If you use this approach, you should encrypt the credentials. With ASP.NET 2.0, you can use the ASP.NET IIS Registration Tool (Aspnet_regiis.exe). With ASP.NET version 1.1, you can use the Aspnet_setreg.exe utility. For more information about this utility, see http://msdn.microsoft.com/en-us/library/k6h9cz8h(VS.71).aspx.

To use a fixed identity for resource access in ASP.NET applications, you can configure credentials by using the identity element on Windows 2000 Server or Windows Server 2003. If you are running Windows Server 2003 with IIS 6.0 configured to run in worker process isolation mode (the default), you can avoid impersonation by configuring your ASP.NET application to run in a custom application pool that runs under a specific domain identity. Then you can use the specified domain identity to access resources without using impersonation.

Delegation

Impersonation gives access to local resources only. Delegation is an extended impersonation capability that enables you to use an impersonation token to access network resources.

If your application uses Kerberos v5 authentication to authenticate its users, you can use Kerberos delegation to pass the user's identity through the layers of your application and to access network resources. If your application does not use Kerberos v5 authentication, you can use protocol transition to switch to Kerberos, and then use delegation to pass on the identity.

Constrained delegation in Windows Server 2003 requires Kerberos authentication. If your application cannot use Kerberos authentication to authenticate its callers, you can use protocol transition to switch from an alternate, non-Windows authentication mode (such as forms or certificate authentication) to Kerberos authentication. You can then use Kerberos with constrained delegation to access downstream network resources.

Constrained and Unconstrained Delegation

Kerberos delegation on Windows 2000 Server is unconstrained. Servers that are configured for delegation in Active Directory can access any network resources or any computer on the network while using the impersonated user's security context. This represents a potential security threat, particularly if the Web server is compromised by a malicious user.

To address this security issue, Windows Server 2003 introduces constrained delegation. This enables administrators to specify exactly which services another server or domain account can access when using an impersonated user's security context.

Configuring Delegation

To use Kerberos delegation, appropriate Active Directory configuration is required.

To grant the Web server the right to delegate client credentials, configure Active Directory as follows:

  • If you run your application under the NetworkService account, the Web server computer account must be marked in Active Directory as trusted for delegation.
  • If you run your application under a custom domain account, this user account must be marked in Active Directory as trusted for delegation.
  • If your application impersonates a user account, make sure that the user account your application impersonates is not marked as "Sensitive and cannot be delegated" in Active Directory.

For more information about protocol transition and constrained delegation, see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.



ASP.NET 2.0动态网站设计教程 作者:李春葆讲义PPT
07-25
安全性是ASP.NET 2.0不可忽视的一部分,包括身份验证(Authentication)、授权(Authorization)以及cookie管理等。默认的安全机制如Forms Authentication提供了用户登录和会话管理的解决方案。 最后,ASP.NET 2.0...
microsoft-authentication-library-for-objc:适用于iOS和macOS的Microsoft身份验证库(MSAL)
05-12
适用于iOS和macOS的Microsoft身份验证库 适用于iOS和macOS的MSAL库通过使用行业标准OAuth2和OpenID Connect支持融合体验的和,使您的应用程序能够开始使用。 对于使用我们的托管身份管理服务的用户,该库还支持 。 快速样品 Swift let config = MSALPublicClientApplicationConfig ( clientId : " <your> " ) let scopes = [ " your-scope1-here " , " your-scope2-here " ] if let application = try ? MSALPublicClientApplication ( configuration : config) { # if os
asp.net Windows Authentication
qq_37112587的博客
02-10 781
一、Windows Authentication 1.1 概述 authentication——认证 作用是识别用户身份 Windows Authentication 用户提供windows账户信息进行身份验证 包括basic、digest以及集成windows认证 主要用于局域网内部 1.2 basic 采用“质询-应答”的方式 认证过程 客户端向服务器请求资源 服务端向客户端索要身份凭证,并在响应报头的WWW-Authenticate中标识认证方式为basic 浏览器识别到该报头,自
关于ASP.NET MVC中Form AuthenticationWindows Authentication的简单理解
写代码的蜗牛
08-14 5116
一般互联网应用,如人人网,微博,都是需要用户登录的,如果用户不登陆,就不能使用此网站。所以,这里都是用FormAuthentication,要求用户填写用户名与密码,然后登录成功后,FormAuthentication.SetAuthCookie()方式向客户端Cookie中写入一个认证Token. 一般企业内部的应用,企业内部信息系统,使用Windows Auhentication.
ASP.NET 中的 Windows 身份验证
中辽普坦的专栏
12-26 4365
Windows身份验证给开发者提供了一个使用Windows平台及NTFS文件系统内置安全特性的方式。它也利用了内置于IIS的安全特性。通过使用Windows身份验证,可以使用很少,甚至不用代码就可以构建一个高安全等级的asp.net应用程序。不过只有客户端使用windows平台,并且在web服务器上,或者web服务器从属的Windows域上有一个账户,Windows身份验证才起作用。 有五种类型
Asp.net windows authentication 简单流程
野狼位位的博客
03-13 1493
API 程序的认证过程:编写api程序在startup.cs中的configureServices中添加services.AddAuthentication(IISDefaults.AuthenticationScheme)在launchSettings.json中将 :"windowsAuthentication": true,    "anonymousAuthentication": tru...
How To: Use Windows Authentication in ASP.NET 2.0
camel0564的专栏
11-09 1847
 SummaryThis How To shows you how to configure and use Windows authentication in an ASP.NET Web application. It also shows various impersonation options available with Windows authentication and h
Asp.net2.0投票演示程序.zip
06-18
总的来说,这个Asp.NET 2.0投票演示程序展示了ASP.NET 2.0的核心特性和Web开发的最佳实践,包括但不限于Web控件的使用、数据绑定、状态管理、数据库操作、安全性以及用户权限管理。通过学习和分析这个程序,开发者...
ASP.NET源码——Asp.net2.0自动排班系统源码.zip
10-10
ASP.NET 源码——Asp.net2.0 自动排班系统源码】 ASP.NET 是微软开发的一款用于构建 Web 应用程序的框架,它基于 .NET Framework 平台,提供了丰富的功能和组件,使得开发者能够快速、高效地构建动态网站、Web ...
ASP.NET2.0SMRM.zip_.net编程_ASP_
08-11
ASP.NET 2.0是微软开发的一个用于构建Web应用程序的框架,它在.NET Framework 2.0的基础上提供了许多增强的功能,特别是在安全、身份验证和授权方面。本压缩包中的资源,"Wrox+-+Professional+ASP.NET+2.0+Security+...
杰邦教学管理系统源码源码(Asp.net2.0).zip
06-19
在安全方面,Asp.net2.0提供了身份验证(Authentication)和授权(Authorization)服务,可以方便地实现用户登录、角色管理和权限控制。通过Windows身份验证、Forms身份验证等方式,系统可以有效地保护用户信息和...
用于js的microsoft-authentication-library-for:用于JS的Microsoft身份验证库(MSAL)
02-24
用于JavaScript的Microsoft身份验证库(MSAL.js) Microsoft JavaScript身份验证库使运行在Web浏览器中的客户端JavaScript Web应用程序能够使用对工作和学校帐户(AAD),Microsoft个人帐户(MSA)以及Facebook,Google等社交身份提供程序进行身份验证,LinkedIn,Microsoft帐户等通过服务。 它还使您的应用程序能够获取令牌来访问等服务。 资料库 核心和包装器库 文件夹包含我们所有库的源代码。 您还将在各自的README.md中找到有关安装库的所有详细信息。 :一个库,可通过JavaScript应用程序中的Microsoft Identity平台启用身份验证和令牌获取。 实现以下OAuth 2.0协议,并且 : :基于浏览器的,与框架无关的浏览器库,可通过JavaScript应用程序中的Microso
Windows Authentication How-To
BLOG域名:programb.blog.csdn.net
04-24 186
The Apache Tomcat Servlet/JSP Container Apache Tomcat 7 Version 7.0.103, Mar 16 2020 Apache Logo Links Docs Home FAQ User Comments User Guide 1) Introduction 2) Setup 3) First webapp 4) Deployer 5)...
认证方式
weixin_30877227的博客
07-27 141
Claims-based 分开认证和授权,如用QQ账户登录系统。 .net 下实现 ClaimsIdentity ClaimsPrincipal Windows 使用windows认证: <authentication mode="Windows" /> 相关模块: WindowsAuthenticationModule  //Authenticat...
Asp.net 2.0 自定义伪静态源码
weixin_30790841的博客
08-22 102
根据微软官方伪静态UrlRewrite.dll源码,自己改写应用进项目中。 1、首先,我们写个用于HttpModule请求的类 RolesProvider using System; using System.Text; using System.Web; using System.Web.Security; using System.Security.Principal; ...
ASP.NET Internet安全Forms身份验证 原理指南
su317的专栏
07-21 791
http://www.cnblogs.com/ioriwellings/archive/2009/02/27/1399421.html摘要 安全性是 ASP.NET Web 应用程序中一个非常重要的方面,它涉及内容非常广泛,不能在一篇文章内说明所有的安全规范,本文讲述如何利用IIS以及Forms 身份验证构建安全的 ASP.NET 应用程序,它是目前被使用最多最广的验证/授权方式.
细说ASP.NET Windows身份认证
小草旁的大树
05-08 1087
阅读目录 开始认识ASP.NET Windows身份认证访问 Active Directory在ASP.NET中访问Active Directory使用Active Directory验证用户身份安全上下文与用户模拟在IIS中配置Windows身份认证关于浏览器的登录对话框问题在客户端代码中访问Windows身份认证的页面 上篇博客我谈到了一些关于ASP.NET Forms身份
Asp.net Authentication and Authrozation
riverlau的专栏
06-02 1028
Because web applications use the stateless HTTP, no information is retained for the user between requests. As a result, the user must be authenticated and authorized at the beginning of each request.
presto Authentication using username/password requires SSL to be enabled
scffenggg008的博客
12-17 5062
如图报错 此问题是由于presto的限制,连接填写了密码,presto就认为是有配置帐号密码了,这时候为了安全就走SSL认证,但是实际presto没有设置SSL认证,所以出现报错·。具体说明可以参考presto的官方文档:Secure Internal Communication — Presto 0.266.1 Documentation 若presto没有设置SSL认证,只需填写用户名,不需要填写密码。 注:如果是有帐号密码的,已经开启了SSL,如果没有密码,则是没有开启SSL。 ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值