我有一个MVC客户端访问受IDS4保护的Web API.它们都在我的本地计算机上运行,并由IIS托管.使用本地身份进行身份验证时,该应用程序运行良好.但是,当我尝试使用Windows身份验证时,会不断收到"401未经授权"的消息.开发工具出现错误,登录框不断返回浏览器.
I have a MVC client accessing a Web API protected by IDS4. They all run on my local machine and hosted by IIS. The app works fine when using local identity for authentication. But when I try to use Windows authentication, I keep getting "401 Unauthorized" error from the dev tool and the login box keeps coming back to the browser.
这是Windows身份验证IIS设置
Here is the Windows Authentication IIS setting
和启用的提供商
几乎就像用户ID或密码错误一样,但这几乎是不可能的,因为这是我一直用于登录系统的域用户ID和密码.此外,根据我的阅读,Windows身份验证应该是自动"的,这意味着我将首先进行静默身份验证,而无需登录框.
It's almost like that the user ID or password was wrong, but that's nearly impossible because that's the domain user ID and password I use for logging into the system all the time. Besides, according to my reading, Windows Authentication is supposed to be "automatic", which means I will be authenticated silently without a login box in the first place.
更新
我启用了IIS请求跟踪,这是日志的结果:
I enabled the IIS request tracing and here is the result from the log:
从跟踪日志项#29中可以看到,身份验证(我输入的用户ID为"DOM \ Jack.Backer")成功.但是,此后某些授权项目(#48)失败.这是失败项目的详细信息:
As you can see from the trace log item #29, the authentication (with the user ID I typed in, "DOM\Jack.Backer") was successful. However, some authorization item (#48) failed after that. And here is the detail of the failed item:
有趣的是,ErrorCode表示该操作(无论完成了什么)均已成功完成,但是仍然收到HttpStatus = 401和HttpReason = Unauthorized的警告.显然,这是我的Windows身份验证失败的原因.但是,此授权是关于什么的,我该如何解决?
What's interesting is that the ErrorCode says that the operation (whatever it is) completed successfully, but still I received a warning with a HttpStatus=401 and a HttpReason=Unauthorized. Apparently, this is what failed my Windows Authentication. But what is this authorization about and how do I fix it?
推荐答案万一有兴趣的人-我终于想出了这一点.这是因为我在2020年末从IndentityServer4的快速入门网站下载的代码没有Windows身份验证所需的一些重要内容.这是我必须添加到ExternalController类的Challenge函数中的
In case anyone interested - I finally figured this one out. It is because the code that I downloaded from IndentityServer4's quickstart site in late 2020 doesn't have some of the important pieces needed for Windows authentication. Here is what I had to add to the Challenge function of the ExternalController class
这是ProcessWindowsLoginAsync函数
and here is the ProcessWindowsLoginAsync function
private async Task<IActionResult> ProcessWindowsLoginAsync(string returnUrl) { var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName); if (result?.Principal is WindowsPrincipal wp) { var props = new AuthenticationProperties() { RedirectUri = Url.Action(nameof(Callback)), Items = { { "returnUrl", returnUrl }, { "scheme", AccountOptions.WindowsAuthenticationSchemeName }, } }; var id = new ClaimsIdentity(AccountOptions.WindowsAuthenticationSchemeName); id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name)); id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name)); if (AccountOptions.IncludeWindowsGroups) { var wi = wp.Identity as WindowsIdentity; var groups = wi.Groups.Translate(typeof(NTAccount)); var roles = groups.Select(x => new Claim(JwtClaimTypes.Role, x.Value)); id.AddClaims(roles); } await HttpContext.SignInAsync(IdentityConstants.ExternalScheme, new ClaimsPrincipal(id), props); return Redirect(props.RedirectUri); } else { return Challenge(AccountOptions.WindowsAuthenticationSchemeName); } }现在我的Windows身份验证可以正常工作了.
Now my windows authentication works with no issues.
更多推荐
Windows身份验证失败,并显示"401未经授权".
发布评论