在asp.net中使用混合模式身份验证时如何配置IIS7

时间:2021-03-09 01:59:27

The following posts show how to setup the web.config for a site using Mixed Mode Authentication. IIS7 Mixed Mode Authentication and How to allow mixed-mode authentication in IIS 7.0.

以下帖子显示如何使用混合模式身份验证为站点设置web.config。 IIS7混合模式身份验证以及如何在IIS 7.0中允许混合模式身份验证。

I've got my site setup and working locally (on my developer machine). However, when I run it locally on the server I get 401.2 - Login failed due to server configuration error.

我有我的网站设置和本地工作(在我的开发人员机器上)。但是,当我在服务器上本地运行它时,我得到401.2 - 由于服务器配置错误,登录失败。

Anyone know how I'm supposed to configure the server, Default Web Site, and My Site?

任何人都知道我应该如何配置服务器,默认网站和我的网站?

Edit: Here are the settings in my web.config, including the loginUrl from the Forms authentication node.

编辑:以下是我的web.config中的设置,包括Forms身份验证节点中的loginUrl。

    <location path="~/Account/WinLogin.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="false"/>
          <windowsAuthentication enabled="true"/>
        </authentication>
      </security>
    </system.webServer>
  </location>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/WinLogin.aspx" timeout="60"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>

1 个解决方案

#1


11  

Let's start with server roles configuration (this is under server manager, roles, IIS)

让我们从服务器角色配置开始(这是在服务器管理器,角色,IIS下)

You're gonna want to make sure that the windows auth and anonymous auth sections are enabled/installed, and also the forms auth (which presumably you already have). After those are installed/configured, you'll need to define the following stuff:

您将要确保启用/安装Windows身份验证和匿名身份验证部分,以及表单身份验证(可能您已经拥有)。安装/配置后,您需要定义以下内容:

In your Web.Config you're going to want to have the following sections defined:

在您的Web.Config中,您将要定义以下部分:

<configuration>
  <system.web>
  <authentication mode="Forms">
      <forms cookieless="UseDeviceProfile" defaultUrl="~/Default.aspx" enableCrossAppRedirects="true" loginUrl="~/WindowsLogin.aspx" name=".ASPXAUTH" path="/" protection="All" requireSSL="false" slidingExpiration="true" timeout="10080"/>
    </authentication>
    <authorization>
        <deny users="?"/>
    </authorization>
  </system.web>
  <location path="Login.aspx">
      <system.web>
          <authorization>
              <allow users="?"/>
          </authorization>
      </system.web>
      <system.webServer>
          <security>
              <authentication>
                  <anonymousAuthentication enabled="true"/>
                  <windowsAuthentication enabled="false"/>
              </authentication>
          </security>
      </system.webServer>
  </location>
  <location path="WindowsLogin.aspx">
      <system.web>
          <authorization>
              <deny users="?"/>
              <allow users="*"/>
          </authorization>
      </system.web>
      <system.webServer>
          <security>
              <authentication>
                  <anonymousAuthentication enabled="false"/>
                  <windowsAuthentication enabled="true"/>
              </authentication>
          </security>
      </system.webServer>
  </location>
</configuration>

Then you'll need two files:

然后你需要两个文件:

Login.aspx (this does forms auth)
WindowsLogin.aspx (this does Windows auth)

LOGIN does forms, right, so that's just bog standard ASP.NET forms auth It's WindowsLogin that does the magic (and here's that file)

LOGIN表单是正确的,所以这只是bog标准的ASP.NET表单auth它是执行魔术的WindowsLogin(这里是那个文件)

using System;
using System.Web;
using System.Web.Security;
using App_Code.Biz;

public partial class WindowsLogin : System.Web.UI.Page {
    protected string UserIsInRoles = string.Empty;
    private static readonly BAL _mBAL = new BAL();
    protected void Page_Load(object sender, EventArgs e) {
        string redirectUrl = Request["returnurl"] ?? "~/default.aspx";
        string username = Request.ServerVariables["LOGON_USER"];
        try {
            if ( Roles.GetRolesForUser( username ).Length < 1 )
                Roles.AddUserToRole( username, Global.defaultRole );
            int status;
            _mBAL.aspnet_Membership_CreateUser( username, out status );
        } catch ( Exception ex ) {
            ErrHandler.WriteXML( ex );
        }

        /* Test to see if the user is in any roles */
        if ( Roles.GetRolesForUser( username ).Length < 1 ) {
            UserIsInRoles = "<br />" + username + "You are not in any rules. This must be your first visit to our site!<br /> Adding you to the " + Global.defaultRole + " role now!";

        } else {
            UserIsInRoles = "You are in the following roles: ";
            string[] roles = Roles.GetRolesForUser( username );
            foreach ( string role in roles )
                UserIsInRoles += role + ", ";
            UserIsInRoles = UserIsInRoles.Remove( UserIsInRoles.Length - 2 ) + "!";

            if ( Login( username, String.Join( ",", roles ) ) )
                Response.Redirect( redirectUrl );
        }

        //we shouldn't get here, so if we do, redirect back to a page they can use.
        if ( Page.IsPostBack ) {
            if ( Response.StatusCode == 401 )
                Response.Redirect( "~/Login.aspx" );

        }
    }

    private bool Login(string strUser, string strRole) {
        if ( strRole != null ) {
            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
               1,                            // version
               strUser,                      // user name
               DateTime.Now,                 // create time
               DateTime.Now.AddYears(1),     // expire time
               false,                        // persistent
               strRole );                     // user data
            string strEncryptedTicket = FormsAuthentication.Encrypt( ticket );
            HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, strEncryptedTicket );
            Context.Response.Cookies.Add( cookie );
            return true;
        }
        return false;
    }
}

After all this, you might get a config error for section locked at a parent level. Lock is either by default (overrideModeDefault="Deny") or set explicitly by a location tag ... and if so, then the fastest way to fix that is to open C:\Windows\System32\inetsrv\config\applicationHost.config and edit the following block:

完成所有这些后,您可能会在父级别锁定部分时遇到配置错误。锁是默认情况下(overrideModeDefault =“Deny”)或由位置标记显式设置...如果是,那么最快的方法是打开C:\ Windows \ System32 \ inetsrv \ config \ applicationHost.config并编辑以下块:

<configSections>
  <sectionGroup name="system.webServer">
    <sectionGroup name="security">
      <sectionGroup name="authentication">
        <section name="anonymousAuthentication" overrideModeDefault="Allow">
        <section name="windowsAuthentication" overrideModeDefault="Allow">
      </sectionGroup>
    </sectionGroup>
  </sectionGroup>
</configSections>

Also see the chat log: http://chat.*.com/rooms/5/conversation/configuring-iis7-and-mixed-mode-authentication-in-asp-net

另请参阅聊天记录:http://chat.*.com/rooms/5/conversation/configuring-iis7-and-mixed-mode-authentication-in-asp-net

#1


11  

Let's start with server roles configuration (this is under server manager, roles, IIS)

让我们从服务器角色配置开始(这是在服务器管理器,角色,IIS下)

You're gonna want to make sure that the windows auth and anonymous auth sections are enabled/installed, and also the forms auth (which presumably you already have). After those are installed/configured, you'll need to define the following stuff:

您将要确保启用/安装Windows身份验证和匿名身份验证部分,以及表单身份验证(可能您已经拥有)。安装/配置后,您需要定义以下内容:

In your Web.Config you're going to want to have the following sections defined:

在您的Web.Config中,您将要定义以下部分:

<configuration>
  <system.web>
  <authentication mode="Forms">
      <forms cookieless="UseDeviceProfile" defaultUrl="~/Default.aspx" enableCrossAppRedirects="true" loginUrl="~/WindowsLogin.aspx" name=".ASPXAUTH" path="/" protection="All" requireSSL="false" slidingExpiration="true" timeout="10080"/>
    </authentication>
    <authorization>
        <deny users="?"/>
    </authorization>
  </system.web>
  <location path="Login.aspx">
      <system.web>
          <authorization>
              <allow users="?"/>
          </authorization>
      </system.web>
      <system.webServer>
          <security>
              <authentication>
                  <anonymousAuthentication enabled="true"/>
                  <windowsAuthentication enabled="false"/>
              </authentication>
          </security>
      </system.webServer>
  </location>
  <location path="WindowsLogin.aspx">
      <system.web>
          <authorization>
              <deny users="?"/>
              <allow users="*"/>
          </authorization>
      </system.web>
      <system.webServer>
          <security>
              <authentication>
                  <anonymousAuthentication enabled="false"/>
                  <windowsAuthentication enabled="true"/>
              </authentication>
          </security>
      </system.webServer>
  </location>
</configuration>

Then you'll need two files:

然后你需要两个文件:

Login.aspx (this does forms auth)
WindowsLogin.aspx (this does Windows auth)

LOGIN does forms, right, so that's just bog standard ASP.NET forms auth It's WindowsLogin that does the magic (and here's that file)

LOGIN表单是正确的,所以这只是bog标准的ASP.NET表单auth它是执行魔术的WindowsLogin(这里是那个文件)

using System;
using System.Web;
using System.Web.Security;
using App_Code.Biz;

public partial class WindowsLogin : System.Web.UI.Page {
    protected string UserIsInRoles = string.Empty;
    private static readonly BAL _mBAL = new BAL();
    protected void Page_Load(object sender, EventArgs e) {
        string redirectUrl = Request["returnurl"] ?? "~/default.aspx";
        string username = Request.ServerVariables["LOGON_USER"];
        try {
            if ( Roles.GetRolesForUser( username ).Length < 1 )
                Roles.AddUserToRole( username, Global.defaultRole );
            int status;
            _mBAL.aspnet_Membership_CreateUser( username, out status );
        } catch ( Exception ex ) {
            ErrHandler.WriteXML( ex );
        }

        /* Test to see if the user is in any roles */
        if ( Roles.GetRolesForUser( username ).Length < 1 ) {
            UserIsInRoles = "<br />" + username + "You are not in any rules. This must be your first visit to our site!<br /> Adding you to the " + Global.defaultRole + " role now!";

        } else {
            UserIsInRoles = "You are in the following roles: ";
            string[] roles = Roles.GetRolesForUser( username );
            foreach ( string role in roles )
                UserIsInRoles += role + ", ";
            UserIsInRoles = UserIsInRoles.Remove( UserIsInRoles.Length - 2 ) + "!";

            if ( Login( username, String.Join( ",", roles ) ) )
                Response.Redirect( redirectUrl );
        }

        //we shouldn't get here, so if we do, redirect back to a page they can use.
        if ( Page.IsPostBack ) {
            if ( Response.StatusCode == 401 )
                Response.Redirect( "~/Login.aspx" );

        }
    }

    private bool Login(string strUser, string strRole) {
        if ( strRole != null ) {
            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
               1,                            // version
               strUser,                      // user name
               DateTime.Now,                 // create time
               DateTime.Now.AddYears(1),     // expire time
               false,                        // persistent
               strRole );                     // user data
            string strEncryptedTicket = FormsAuthentication.Encrypt( ticket );
            HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, strEncryptedTicket );
            Context.Response.Cookies.Add( cookie );
            return true;
        }
        return false;
    }
}

After all this, you might get a config error for section locked at a parent level. Lock is either by default (overrideModeDefault="Deny") or set explicitly by a location tag ... and if so, then the fastest way to fix that is to open C:\Windows\System32\inetsrv\config\applicationHost.config and edit the following block:

完成所有这些后,您可能会在父级别锁定部分时遇到配置错误。锁是默认情况下(overrideModeDefault =“Deny”)或由位置标记显式设置...如果是,那么最快的方法是打开C:\ Windows \ System32 \ inetsrv \ config \ applicationHost.config并编辑以下块:

<configSections>
  <sectionGroup name="system.webServer">
    <sectionGroup name="security">
      <sectionGroup name="authentication">
        <section name="anonymousAuthentication" overrideModeDefault="Allow">
        <section name="windowsAuthentication" overrideModeDefault="Allow">
      </sectionGroup>
    </sectionGroup>
  </sectionGroup>
</configSections>

Also see the chat log: http://chat.*.com/rooms/5/conversation/configuring-iis7-and-mixed-mode-authentication-in-asp-net

另请参阅聊天记录:http://chat.*.com/rooms/5/conversation/configuring-iis7-and-mixed-mode-authentication-in-asp-net