I am trying to create an authentication system that works within the limitations of my organisation's network infrastructure both when inside the local network and outside.
我正在尝试创建一个身份验证系统,该系统在本地网络内外的组织网络基础架构的限制范围内工作。
When inside the local network I want people to be able to access this ASP.NET Web Forms application without having to log in using their Windows login.
在本地网络内部时,我希望人们能够访问此ASP.NET Web窗体应用程序,而无需使用Windows登录名登录。
Externally I want people to have to log in through a custom login form.
在外部我希望人们必须通过自定义登录表单登录。
The reason is that Windows authentication does not work outside of our local network, due to the local infrastructure.
原因是由于本地基础结构,Windows身份验证在本地网络之外不起作用。
So, I created a password protected folder by disabling anonymous authentication just for that folder, and then on every page request I check if the user is flagged as being logged in (details on how I do this are unimportant) and if they aren't I redirect to a page that does an AJAX request to a web service located inside the password protected folder to see if they are logged in on the local network. If they aren't then it redirects to the custom login form page.
因此,我通过仅为该文件夹禁用匿名身份验证创建了一个受密码保护的文件夹,然后在每个页面请求中检查用户是否被标记为已登录(有关我如何执行此操作的详细信息并不重要)以及它们是否不重要我重定向到一个页面,该页面向位于受密码保护的文件夹内的Web服务发出AJAX请求,以查看它们是否已登录到本地网络。如果不是,则重定向到自定义登录表单页面。
Now this all sounded like a good idea at the time but in practice it does something undesirable... When an external user attempts to access and the AJAX request is made, I get a browser username and password prompt which has to be cancelled to continue.
现在这一切听起来都是一个好主意,但在实践中它做了一些不受欢迎的事情......当外部用户试图访问并发出AJAX请求时,我得到一个浏览器用户名和密码提示,必须取消才能继续。
I appreciate that this type of authentication is part of HTTP and probably can't be bypassed, even using AJAX, but any ideas how I can get this working without the username/password prompt or an alternate way of checking whether local network or external access?
我很欣赏这种类型的身份验证是HTTP的一部分,甚至可能无法绕过,甚至使用AJAX,但任何想法如何在没有用户名/密码提示或检查本地网络或外部访问的替代方法的情况下如何工作?
I know I could check the IP address but I understand this can be faked (although that would only cause an issue to the user attempting to do this).
我知道我可以检查IP地址,但我知道这可能是伪造的(虽然这只会给尝试这样做的用户造成问题)。
I also know I could have a different entry point for internal or external but I wanted to avoid this.
我也知道我可以为内部或外部提供不同的入口点,但我想避免这种情况。
1 个解决方案
#1
0
I couldn't find a solution for exactly what I wanted to do, so I opted to check if the user was on the local network by checking their IP address.
我找不到我想要做的解决方案,所以我选择通过检查他们的IP地址来检查用户是否在本地网络上。
Although this is sent via a HTTP header and can be faked, it will only result in the user being prompted for username and password via Windows authentication.
虽然这是通过HTTP标头发送的并且可以伪造,但它只会导致通过Windows身份验证提示用户输入用户名和密码。
#1
0
I couldn't find a solution for exactly what I wanted to do, so I opted to check if the user was on the local network by checking their IP address.
我找不到我想要做的解决方案,所以我选择通过检查他们的IP地址来检查用户是否在本地网络上。
Although this is sent via a HTTP header and can be faked, it will only result in the user being prompted for username and password via Windows authentication.
虽然这是通过HTTP标头发送的并且可以伪造,但它只会导致通过Windows身份验证提示用户输入用户名和密码。