在MVC5认证中,“与主域之间的信任关系失败”

时间:2021-12-23 16:55:14

I have a ASP .NET MVC5 application in which I am not using Windows Authentication.

我有一个asp.net MVC5应用程序,在这个应用程序中我不使用Windows身份验证。

Everything was working fine until I tried running the application outside of the Domain in which it was being developed and (for whatever reason) got a:

一切都很顺利,直到我尝试在正在开发的领域之外运行这个应用程序,并且(无论出于什么原因)得到了一个:

The trust relationship between this workstation and the primary domain failed.

when I'm trying to do User.IsInRole("Admin").

当我尝试使用User.IsInRole(“Admin”)时。

I am using custom Identity, Role, IdentityStore, RoleStore, etc. from .NET's Identity and I can see that the User and Role data is being retrieved from the (MongoDB) database correctly.

我正在使用。net标识的自定义标识、角色、标识库、RoleStore等,我可以看到用户和角色数据正在从(MongoDB)数据库中正确地检索。

There are plenty of questions regarding this issue, but they're from people who want to use Windows Auth. and impersonation in their MVC applications:

关于这个问题有很多问题,但这些问题都来自那些想要使用Windows Auth的人。以及MVC应用中的模拟:

So why exactly am I getting this SystemException if I'm not using Active Directory and (as far as I know) not doing anything that might depend on the PC's domain? Am I missing some configuration (either in my Web.config or IIS Express)?

那么,如果我不使用Active Directory,而且(据我所知)不做任何可能依赖于PC域的事情,为什么我要得到这个SystemException呢?我是否遗漏了一些配置(在我的Web中)。配置或IIS Express)?

EDIT:

Ok, so narrowing it down a bit...

好的,把它缩小一点…

My User.IsInRole("Admin") line is inside an if() statement in my _Layout.cshtml View (i.e., to know what to show in the nav. bar depending on the role).

在我的_Layout中,我的User.IsInRole(“Admin”)行位于if()语句中。(即cshtml视图。知道在导航里显示什么。酒吧取决于角色)。

I now know I only get the error above when no user is authenticated and I'm not in the domain I used for dev. If I place a breakpoint on that line, I can see that the User object is is a System.Security.Principal.WindowsIdentity and its underlying Identity is System.Security.Principal.WindowsIdentity.

我现在知道,只有当没有用户通过身份验证且不在我用于dev的域中时,才会得到上面的错误。WindowsIdentity及其底层身份是System.Security.Principal.WindowsIdentity。

On the other hand, if the user is authenticated, then the User object and ts Identity are System.Security.Claims.ClaimsPrincipal and System.Security.Claims.ClaimsIdentity.

另一方面,如果用户经过了身份验证,那么用户对象和ts标识就是System.Security.Claims。ClaimsPrincipal System.Security.Claims.ClaimsIdentity。

Why is it using Windows Identity at all (when unauthenticated) and how can I disable it?

为什么要使用Windows标识(未经身份验证)和如何禁用它?

7 个解决方案

#1


24  

So, based on my EDIT, I've modified my _Layout.cshtml so that instead of having

基于我的编辑,我修改了_Layout。cshtml因此而不是

@if(User.IsInRole("Admin"))  {...}

I have

我有

@if(User.Identity.IsAuthenticated && User.IsInRole("Admin")) {...}

which seems to solve the problem.

这似乎解决了问题。

I believe the problem was that ASP .NET Identity uses an empty WindowsIdentity when no user is authenticated and when I try to check for the User.IsInRole, then it will try to check the roles of a WindowsIdentity against an Active Directory that I don't have. Obviously I should first check if the user is even logged in before attempting to check its roles, so mea culpa.

我认为问题是当没有用户被验证时,当我试图检查用户时,ASP . net标识使用了一个空的WindowsIdentity。然后,它将尝试检查WindowsIdentity的角色和我没有的活动目录。显然,在尝试检查其角色之前,我应该首先检查用户是否已经登录,因此这是错误的。

But, even though the change above seems to fix my code, I'd be very interested in knowing more about this behavior: why is it using an empty System.Security.Principal.WindowsIdentity when no user is authenticated. I'll accept any answer which explains that.

但是,尽管上面的更改似乎修改了我的代码,我还是很有兴趣了解更多关于这种行为的信息:为什么它使用的是空的System.Security.Principal。当没有用户被验证时,WindowsIdentity。我接受任何能解释这一点的回答。

#2


4  

I've had this issue - It failed for me if I tested an active directory group that didn't exist.

我遇到了这个问题——如果我测试了一个不存在的活动目录组,那么它对我来说是失败的。

Make sure you're using a group that exists!

确保您使用的是一个存在的组!

#3


0  

The "trust relationship between the primary domain and the workstation has failed" error message usaully requires that the computer be removed from the domain and then rejoined. Now there are a few ways to do this. As included in the link above, are instructions on how to do so either on the computer displaying the error or remotely. You can also do so in Active Directory and in PowerShell.

“主域和工作站之间的信任关系失败”错误消息usaully要求从域中删除计算机,然后重新联接。现在有几种方法可以做到这一点。如上面的链接所示,是关于如何在计算机上显示错误或远程操作的说明。在Active Directory和PowerShell中也可以这样做。

#4


0  

<authorization>
            <allow roles="pri\Domain Users" users="pri\domain_user" />
            <deny users="?" />
</authorization>
  • make sure that you have the above line in your web.config file and complete the user field with the correct user name.
  • 确保您的web中有上面的行。配置文件并使用正确的用户名完成用户字段。

#5


0  

We were having this same issue on a new production server. Using the Identity Framework and restricting access to a specific directory with a web.config file denying any unauthenticated users. When unauthenticated users tried to access a page in this directory that contained any User.IsInRole("RoleName") code, they were getting the "Trust relationship..." error.

我们在一个新的生产服务器上遇到了同样的问题。使用身份框架,并限制使用web访问特定目录。配置文件拒绝任何未经身份验证的用户。当未经身份验证的用户试图访问这个目录中包含任何User.IsInRole(“RoleName”)代码的页面时,他们会得到“信任关系…”错误。

None of the fixes mentioned in other SO answers worked for us.

其他地方提到的修正都没有,所以答案对我们有用。

Turns out we just had to enable Forms Authentication in IIS - problem solved.

原来我们只需要在IIS解决的问题中启用表单验证。

#6


0  

I've just resolved this in our systems, unfortunately, none of the other suggestions worked for me. The issue was caused by an orphaned SID in a network folder the code was attempting to access. Once removed it started working again.

我刚刚在我们的系统中解决了这个问题,不幸的是,其他的建议对我都不起作用。这一问题是由于代码试图访问的网络文件夹中的一个孤立的SID造成的。一旦移除,它又开始工作。

#7


0  

I had exactly the same scenario with custom Authentication Module and the same error when doing IsInRole. The highest ranking solution (User.Identity.IsAuthenticated && ...) did NOT help. So, I played quite a bit with it. Finally I found that I had to remove a (preCondition="managedHandler") attribute from my module declaration in web.config file. So, instead of:

在定制身份验证模块时,我使用的是完全相同的场景,在执行这个过程时也遇到了相同的错误。*的解决方案(User.Identity)。认证&& &&…)没有帮助。所以,我用它玩了很多次。最后,我发现我必须从web的模块声明中删除一个(preCondition="managedHandler")属性。配置文件。因此,而不是:

  <system.webServer>
    ...
    <modules>
          ...
          <add name="CompanyAuthentication" type="Company.Authentication.AuthHttpHandler" preCondition="managedHandler" />
    </modules>

I would have to have:

我必须:

  <system.webServer>
    ...
    <modules>
          ...
          <add name="CompanyAuthentication" type="Company.Authentication.AuthHttpHandler" />
    </modules>

That did the trick for me!

这就是我的诀窍!

#1


24  

So, based on my EDIT, I've modified my _Layout.cshtml so that instead of having

基于我的编辑,我修改了_Layout。cshtml因此而不是

@if(User.IsInRole("Admin"))  {...}

I have

我有

@if(User.Identity.IsAuthenticated && User.IsInRole("Admin")) {...}

which seems to solve the problem.

这似乎解决了问题。

I believe the problem was that ASP .NET Identity uses an empty WindowsIdentity when no user is authenticated and when I try to check for the User.IsInRole, then it will try to check the roles of a WindowsIdentity against an Active Directory that I don't have. Obviously I should first check if the user is even logged in before attempting to check its roles, so mea culpa.

我认为问题是当没有用户被验证时,当我试图检查用户时,ASP . net标识使用了一个空的WindowsIdentity。然后,它将尝试检查WindowsIdentity的角色和我没有的活动目录。显然,在尝试检查其角色之前,我应该首先检查用户是否已经登录,因此这是错误的。

But, even though the change above seems to fix my code, I'd be very interested in knowing more about this behavior: why is it using an empty System.Security.Principal.WindowsIdentity when no user is authenticated. I'll accept any answer which explains that.

但是,尽管上面的更改似乎修改了我的代码,我还是很有兴趣了解更多关于这种行为的信息:为什么它使用的是空的System.Security.Principal。当没有用户被验证时,WindowsIdentity。我接受任何能解释这一点的回答。

#2


4  

I've had this issue - It failed for me if I tested an active directory group that didn't exist.

我遇到了这个问题——如果我测试了一个不存在的活动目录组,那么它对我来说是失败的。

Make sure you're using a group that exists!

确保您使用的是一个存在的组!

#3


0  

The "trust relationship between the primary domain and the workstation has failed" error message usaully requires that the computer be removed from the domain and then rejoined. Now there are a few ways to do this. As included in the link above, are instructions on how to do so either on the computer displaying the error or remotely. You can also do so in Active Directory and in PowerShell.

“主域和工作站之间的信任关系失败”错误消息usaully要求从域中删除计算机,然后重新联接。现在有几种方法可以做到这一点。如上面的链接所示,是关于如何在计算机上显示错误或远程操作的说明。在Active Directory和PowerShell中也可以这样做。

#4


0  

<authorization>
            <allow roles="pri\Domain Users" users="pri\domain_user" />
            <deny users="?" />
</authorization>
  • make sure that you have the above line in your web.config file and complete the user field with the correct user name.
  • 确保您的web中有上面的行。配置文件并使用正确的用户名完成用户字段。

#5


0  

We were having this same issue on a new production server. Using the Identity Framework and restricting access to a specific directory with a web.config file denying any unauthenticated users. When unauthenticated users tried to access a page in this directory that contained any User.IsInRole("RoleName") code, they were getting the "Trust relationship..." error.

我们在一个新的生产服务器上遇到了同样的问题。使用身份框架,并限制使用web访问特定目录。配置文件拒绝任何未经身份验证的用户。当未经身份验证的用户试图访问这个目录中包含任何User.IsInRole(“RoleName”)代码的页面时,他们会得到“信任关系…”错误。

None of the fixes mentioned in other SO answers worked for us.

其他地方提到的修正都没有,所以答案对我们有用。

Turns out we just had to enable Forms Authentication in IIS - problem solved.

原来我们只需要在IIS解决的问题中启用表单验证。

#6


0  

I've just resolved this in our systems, unfortunately, none of the other suggestions worked for me. The issue was caused by an orphaned SID in a network folder the code was attempting to access. Once removed it started working again.

我刚刚在我们的系统中解决了这个问题,不幸的是,其他的建议对我都不起作用。这一问题是由于代码试图访问的网络文件夹中的一个孤立的SID造成的。一旦移除,它又开始工作。

#7


0  

I had exactly the same scenario with custom Authentication Module and the same error when doing IsInRole. The highest ranking solution (User.Identity.IsAuthenticated && ...) did NOT help. So, I played quite a bit with it. Finally I found that I had to remove a (preCondition="managedHandler") attribute from my module declaration in web.config file. So, instead of:

在定制身份验证模块时,我使用的是完全相同的场景,在执行这个过程时也遇到了相同的错误。*的解决方案(User.Identity)。认证&& &&…)没有帮助。所以,我用它玩了很多次。最后,我发现我必须从web的模块声明中删除一个(preCondition="managedHandler")属性。配置文件。因此,而不是:

  <system.webServer>
    ...
    <modules>
          ...
          <add name="CompanyAuthentication" type="Company.Authentication.AuthHttpHandler" preCondition="managedHandler" />
    </modules>

I would have to have:

我必须:

  <system.webServer>
    ...
    <modules>
          ...
          <add name="CompanyAuthentication" type="Company.Authentication.AuthHttpHandler" />
    </modules>

That did the trick for me!

这就是我的诀窍!