什么时候ASP。网络身份验证发生?

时间:2021-07-16 02:59:17

I have an application where I display every Active Directory group that the current user belongs to. When I have my config setup like this:

我有一个应用程序,其中显示当前用户所属的每个活动目录组。当我有这样的配置设置时:

    <authentication mode="Windows"/>
    <authorization>
        <deny users="?"/>
        <allow users="*"/>
    </authorization>

It works fine. When it's like this:

它将正常工作。当它是这样的:

    <authentication mode="Windows"/>
    <authorization>
        <!--<deny users="?"/>-->
        <allow users="*"/>
    </authorization>

No groups are found. Why does this make a difference? Does asp.net only authenticate if we are specifically denying access to unauthenticated users?

没有找到组织。为什么会有不同呢?只有当我们特别拒绝对未经验证的用户的访问时,asp.net才进行身份验证吗?

If it helps this is how i'm getting the groups:

如果有帮助的话,这就是我得到这些小组的方法:

    protected string GetUserGroups()
    {
        StringBuilder userGroups = new StringBuilder();
        ArrayList groupMembers = new ArrayList();
        DirectoryEntry root = new DirectoryEntry("LDAP://myldap/DC=nc,DC=local");
        DirectorySearcher ds = new DirectorySearcher(root);
        ds.Filter = String.Format("(&(samaccountname={0})(objectClass=person))", User.Identity.Name.Substring(User.Identity.Name.LastIndexOf(@"\") + 1));
        ds.PropertiesToLoad.Add("memberof");
        try
        {
            foreach (SearchResult sr in ds.FindAll())
            {
                foreach (string str in sr.Properties["memberof"])
                {
                    string str2 = str.Substring(str.IndexOf("=") + 1, str.IndexOf(",") - str.IndexOf("=") - 1);
                    groupMembers.Add(str2);
                }
            }
        }
        catch
        {
            //ignore if any properties found in AD  
        }
        return String.Join("|", (string[])groupMembers.ToArray(typeof(string)));
    }

1 个解决方案

#1


3  

I may be wrong, but I believe this is how it works:

我可能错了,但我相信这就是它的工作原理:

The first time a browser hits a site it does so as anonymous.

浏览器第一次访问一个站点时,它是匿名的。

If the server says that anonymous isn't allowed, the browser then sends the users windows credentials.

如果服务器说不允许匿名,浏览器就会向用户发送windows凭据。

If those credentials don't pass muster, then the browser pops up the login box or (depending on the application) sends them over to a login page.

如果这些凭证没有通过检查,浏览器就会弹出登录框,或者(取决于应用程序)将它们发送到登录页面。

So, because your site allows anonymous, all of the users are coming in that way.

因为你的网站允许匿名,所以所有的用户都是匿名的。

#1


3  

I may be wrong, but I believe this is how it works:

我可能错了,但我相信这就是它的工作原理:

The first time a browser hits a site it does so as anonymous.

浏览器第一次访问一个站点时,它是匿名的。

If the server says that anonymous isn't allowed, the browser then sends the users windows credentials.

如果服务器说不允许匿名,浏览器就会向用户发送windows凭据。

If those credentials don't pass muster, then the browser pops up the login box or (depending on the application) sends them over to a login page.

如果这些凭证没有通过检查,浏览器就会弹出登录框,或者(取决于应用程序)将它们发送到登录页面。

So, because your site allows anonymous, all of the users are coming in that way.

因为你的网站允许匿名,所以所有的用户都是匿名的。