问题描述
我有一个在 Windows 2003 服务器上的 IIS 7 下运行的 .NET 3.5 应用程序,当我继续收到登录提示时,无法使集成 Windows 身份验证正常工作.我已在 IIS 中将 Windows 身份验证设置为启用,并禁用所有其他安全类型,并且我的应用程序 web.config 文件身份验证/授权设置为:
I have a .NET 3.5 application running under IIS 7 on Windows 2003 server and cannot get integrated windows authentication working properly as I continue to get prompted for a login. I have set Windows Authentication to enabled in IIS with all other security types disabled and my application web.config file authentication/authorization is set up as:
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="3.5" />
<authenticationmode="Windows"/>
<authorization>
<deny users = "?" />
</authorization>
</system.web>
通过此设置,我期望 Windows 用户在后台验证以允许访问和拒绝匿名用户.但是,当我尝试访问该站点时,我得到的是一个 Windows 登录弹出窗口.
With this setup, I'm expecting behind the scene verification of the Windows user to allow access and deny anonymous users. However, what I'm getting is a Windows login pop-up when I try to access the site.
我这几天一直在解决这个问题,但无法找出问题所在.根据有类似问题的帖子,我确认我的 URL 不包含任何句点,仔细检查我的 IE 设置是否设置为启用集成 Windows 身份验证,并将我的 URL 添加到我的 Intranet 站点,但仍然收到弹出窗口.
I have been troubleshooting this issue for a few days now and cannot figure out the problem. Based on posts with similar problems, I confirmed my URL does not include any periods, double checked that my IE settings are set to Enable Integrated Windows Authentication, and also added my URL to my intranet sites, but still getting the pop-up.
为了进一步排除故障,我在 IIS 中启用了匿名身份验证,并修改了我的 web.config 文件,让我可以直接进入,然后添加了 Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) 来尝试查看身份验证中使用的用户.我得到的结果是 IIS APPPOOLmyapp 这显然是我的应用程序的 IIS 应用程序池.
To troubleshoot it further, I enabled Anonymous Authentication in IIS and modified my web.config file to which lets me right in and then added Response.Write(System.Security.Principal.WindowsIdentifity.getcurrent().user.name.toString()) to try to see what user is being used in the authentication. The result I'm getting is IIS APPPOOLmyapp which is obviously the IIS application pool for my application.
我非常感谢任何人提供的任何帮助,这样我仍然只使用 Windows 身份验证,但没有弹出窗口,并且 Windows 身份验证是针对实际 Windows 用户执行的.
I really appreciate any help anyone can provide so that I'm still using only windows authentication but don't get the pop-up and the windows authentication is performed against the actual Windows user.
谢谢.
进一步排除故障后的附加说明:
Additional note after troubleshooting further:
刚刚注意到,当登录失败并且再次显示 Windows 登录提示时,它显示尝试登录为SERVERNAME"USERNAME"的用户名,这让我相信它正在尝试针对服务器验证用户与域.为了确认这一点,我直接在应用服务器上创建了一个本地用户帐户,其用户名和密码与网络域用户相同,并尝试再次登录.结果是我再次收到登录提示,但这次输入用户名和密码时,我能够成功登录.网络用户和应用服务器在同一个域上,所以真的不知道为什么 IIS 身份验证指向本地应用服务器帐户而不是域帐户.我意识到这是一个 IIS 问题,因此也发布在 forums.iis.net 上,但感谢任何人可能提供的任何建议,因为这几天以来一直在解决这个问题.
Just noticed that when the login fails and the Windows login prompt displays again, it is showing the username that attempted to login as "SERVERNAME""USERNAME" which led me to believe it was trying to validate the user against the server vs. the domain. To confirm this, I created a local user account directly on the app server with the same username and password as the network domain user and tried to login again. The result was that I received the login prompt again but when I entered the username and password this time, I was able to successfully login. The network user and app server are on the same domain so really not sure why IIS authentication is pointing to the local app server accounts and not to the domain accounts. I realize this is an IIS question at this point so posting on forums.iis.net as well but appreciate any advice anyone may have since have been troubleshooting this for days.
推荐答案
我有一个正在使用的 Windows 2008 服务器,所以我的答案与 OP 在 Windows 2003 服务器上的答案并不完全相同.
I have a Windows 2008 server that I'm working on, so my answer is not completely the same as what the OP has on a Windows 2003 server.
这就是我所做的(在这里记录下来,以便以后找到).
Here is what I did (recording this here so I can find it later).
我也遇到了同样的问题:
I was having this same issue:
在我的 Web.config 文件中,我有这个部分:
In my Web.config file, I had this section:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
</system.web>
在IIS下,所有这些似乎都在Authentication图标下解决了.
Under IIS, all of these seems to be solved under the Authentication icon.
- 编辑权限:确保您的 ASP.NET 帐户具有权限.最初没有添加我的.
现在进入身份验证的功能:
使用 IUSR
启用 匿名身份验证:
启用 Windows 身份验证,然后右键单击以设置 Providers.
Enable Windows Authentication, then Right-Click to set the Providers.
NTLM 必须是第一位的!
接下来,检查 Advanced Settings... 下的 Extended Protection 是否为 Accept 和 Enable Kernel-mode authenticationstrong> 已检查:
Next, check that under Advanced Settings... the Extended Protection is Accept and Enable Kernel-mode authentication is CHECKED:
完成此操作后,我返回 Web 应用程序,单击浏览"链接,无需再次提供凭据即可登录.
Once I did this, I went back to my web application, clicked the Browse link, and logged in without having to provide my credentials again.
我希望这对你们中的许多人有益,我希望它以后对我也有用.
I hope this proves beneficial to many of you, and I hope it is useful for me later as well.
这篇关于使用集成 Windows 身份验证接收登录提示的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!