C# Windows身份验证不接受凭据
我有一个Identity Server(ASP.NET Core 2和Identity Server 4 2.0.0),配置为使用Kestrel和IISIntegration,并在launchSettings.json上启用匿名和Windows身份验证。我还配置了如下IISOP:C# Windows身份验证不接受凭据,c#,asp.net-core,windows-authentication,openid-connect,identityserver4,C#,Asp.net Core,Windows Authentication,Openid Connect,Identityserver4,我有一个Identity Server(ASP.NET Core 2和Identity Server 4 2.0.0),配置为使用Kestrel和IISIntegration,并在launchSettings.json上启用匿名和Windows身份验证。我还配置了如下IISOP: services.Configure<IISOptions>(iis => { iis.AutomaticAuthentication = false; iis.Authenticat
services.Configure<IISOptions>(iis =>
{
iis.AutomaticAuthentication = false;
iis.AuthenticationDisplayName = "Windows";
});
services.AddAuthentication();
services.AddCors()
.AddMvc();
services.AddIdentityServer(); // with AspNetIdentity configured
app.UseAuthentication()
.UseIdentityServer()
.UseStaticFiles()
.UseCors(options => options.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin())
.UseMvcWithDefaultRoute();
当我启动客户端时,它会正确地显示Identity Server的登录屏幕,但单击Windows身份验证时,它只会不断询问凭据。我已经查看了这两个应用程序的输出窗口,没有任何一方出现异常。我已尝试将Identity Server部署到IIS服务器(启用Windows身份验证,其池在网络服务下运行),并重现了相同的行为。我终于找到了答案。我遵循了不支持Windows身份验证的
组合的\u AsNetIdentity\u和\u EntityFrameworkStorageIdentity[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> ExternalLogin(string provider, string returnUrl = null)
{
var props = new AuthenticationProperties()
{
RedirectUri = Url.Action("ExternalLoginCallback"),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", AccountOptions.WindowsAuthenticationSchemeName }
}
};
// I only care about Windows as an external provider
var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName);
if (result?.Principal is WindowsPrincipal wp)
{
var id = new ClaimsIdentity(provider);
id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));
await HttpContext.SignInAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme,
new ClaimsPrincipal(id),
props);
return Redirect(props.RedirectUri);
}
else
{
return Challenge(AccountOptions.WindowsAuthenticationSchemeName);
}
}
[HttpGet]
[AllowAnonymous]
public async Task<IActionResult> ExternalLoginCallback()
{
var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (result?.Succeeded != true)
{
throw new Exception("External authentication error");
}
var externalUser = result.Principal;
var claims = externalUser.Claims.ToList();
var userIdClaim = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Subject);
if (userIdClaim == null)
{
userIdClaim = claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
}
if (userIdClaim == null)
{
throw new Exception("Unknown userid");
}
claims.Remove(userIdClaim);
string provider = result.Properties.Items["scheme"];
string userId = userIdClaim.Value;
var additionalClaims = new List<Claim>();
// I changed this to use Identity as a user store
var user = await userManager.FindByNameAsync(userId);
if (user == null)
{
user = new ApplicationUser
{
UserName = userId
};
var creationResult = await userManager.CreateAsync(user);
if (!creationResult.Succeeded)
{
throw new Exception($"Could not create new user: {creationResult.Errors.FirstOrDefault()?.Description}");
}
}
else
{
additionalClaims.AddRange(await userManager.GetClaimsAsync(user));
}
var sid = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId);
if (sid != null)
{
additionalClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value));
}
AuthenticationProperties props = null;
string id_token = result.Properties.GetTokenValue("id_token");
if (id_token != null)
{
props = new AuthenticationProperties();
props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
}
await HttpContext.SignInAsync(user.Id, user.UserName, provider, props, additionalClaims.ToArray());
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
string returnUrl = result.Properties.Items["returnUrl"];
if (_interaction.IsValidReturnUrl(returnUrl) || Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return Redirect("~/");
}
[HttpPost]
[异名]
[ValidateAntiForgeryToken]
公共异步任务外部登录(字符串提供程序,字符串返回URL=null)
{
var props=新的AuthenticationProperties()
{
RedirectUri=Url.Action(“ExternalLoginCallback”),
项目=
{
{“returnUrl”,returnUrl},
{“方案”,AccountOptions.WindowsAuthenticationSchemeName}
}
};
//我只关心作为外部提供商的Windows
var result=await HttpContext.authenticateSync(AccountOptions.WindowsAuthenticationSchemeName);
如果(结果?.Principal为WindowsPrincipal wp)
{
var id=新的索赔实体(供应商);
id.AddClaim(新索赔(JwtClaimTypes.Subject,wp.Identity.Name));
id.AddClaim(新索赔(JwtClaimTypes.Name,wp.Identity.Name));
等待HttpContext.SignInAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme,
新的权利要求书(id),
道具);
返回重定向(props.RedirectUri);
}
其他的
{
返回质询(AccountOptions.WindowsAuthenticationSchemeName);
}
}
[HttpGet]
[异名]
公共异步任务ExternalLoginCallback()
{
var result=wait HttpContext.authenticateSync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
如果(结果?.successed!=真)
{
抛出新异常(“外部身份验证错误”);
}
var externalUser=result.Principal;
var claims=externalUser.claims.ToList();
var userIdClaim=claims.FirstOrDefault(x=>x.Type==JwtClaimTypes.Subject);
if(userIdClaim==null)
{
userIdClaim=claims.FirstOrDefault(x=>x.Type==ClaimTypes.NameIdentifier);
}
if(userIdClaim==null)
{
抛出新异常(“未知用户ID”);
}
索赔。删除(userIdClaim);
字符串提供程序=result.Properties.Items[“scheme”];
字符串userId=userIdClaim.Value;
var additionalClaims=新列表();
//我将其更改为使用标识作为用户存储
var user=await userManager.FindByNameAsync(userId);
if(user==null)
{
用户=新应用程序用户
{
用户名=用户ID
};
var creationResult=await userManager.CreateAsync(用户);
如果(!creationResult.Successed)
{
抛出新异常($”无法创建新用户:{creationResult.Errors.FirstOrDefault()?.Description}”);
}
}
其他的
{
additionalClaims.AddRange(等待userManager.GetClaimsAsync(用户));
}
var sid=claims.FirstOrDefault(x=>x.Type==JwtClaimTypes.SessionId);
如果(sid!=null)
{
additionalClaims.Add(新索赔(JwtClaimTypes.SessionId,sid.Value));
}
AuthenticationProperties props=null;
string id_token=result.Properties.GetTokenValue(“id_token”);
if(id\u令牌!=null)
{
props=新的AuthenticationProperties();
StoreTokens(new[]{newauthenticationtoken{Name=“id_-token”,Value=id_-token}});
}
等待HttpContext.SignInAsync(user.Id、user.UserName、provider、props、additionalClaims.ToArray());
等待HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
字符串returnUrl=result.Properties.Items[“returnUrl”];
if(_interaction.IsValidReturnUrl(returnUrl)| | Url.IsLocalUrl(returnUrl))
{
返回重定向(returnUrl);
}
返回重定向(“~/”);
}
服务。AddDeveloperSigningCredential()用于疑难解答?@KostyaK如果您参考的是服务。AddIdentityServer().AddDeveloperSigningCredential()
,是的,已经有了there@CodeCaster试着从这里运行官方示例,看看它是否在您的环境中工作。通过这种方式,您可以缩小对问题的搜索范围。@Kostya我不是OP。@KostyaK遗憾的是,没有一个示例显示如何正确配置客户端和服务器以进行Windows身份验证。我都试过了
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> ExternalLogin(string provider, string returnUrl = null)
{
var props = new AuthenticationProperties()
{
RedirectUri = Url.Action("ExternalLoginCallback"),
Items =
{
{ "returnUrl", returnUrl },
{ "scheme", AccountOptions.WindowsAuthenticationSchemeName }
}
};
// I only care about Windows as an external provider
var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName);
if (result?.Principal is WindowsPrincipal wp)
{
var id = new ClaimsIdentity(provider);
id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));
await HttpContext.SignInAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme,
new ClaimsPrincipal(id),
props);
return Redirect(props.RedirectUri);
}
else
{
return Challenge(AccountOptions.WindowsAuthenticationSchemeName);
}
}
[HttpGet]
[AllowAnonymous]
public async Task<IActionResult> ExternalLoginCallback()
{
var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (result?.Succeeded != true)
{
throw new Exception("External authentication error");
}
var externalUser = result.Principal;
var claims = externalUser.Claims.ToList();
var userIdClaim = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Subject);
if (userIdClaim == null)
{
userIdClaim = claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
}
if (userIdClaim == null)
{
throw new Exception("Unknown userid");
}
claims.Remove(userIdClaim);
string provider = result.Properties.Items["scheme"];
string userId = userIdClaim.Value;
var additionalClaims = new List<Claim>();
// I changed this to use Identity as a user store
var user = await userManager.FindByNameAsync(userId);
if (user == null)
{
user = new ApplicationUser
{
UserName = userId
};
var creationResult = await userManager.CreateAsync(user);
if (!creationResult.Succeeded)
{
throw new Exception($"Could not create new user: {creationResult.Errors.FirstOrDefault()?.Description}");
}
}
else
{
additionalClaims.AddRange(await userManager.GetClaimsAsync(user));
}
var sid = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId);
if (sid != null)
{
additionalClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value));
}
AuthenticationProperties props = null;
string id_token = result.Properties.GetTokenValue("id_token");
if (id_token != null)
{
props = new AuthenticationProperties();
props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
}
await HttpContext.SignInAsync(user.Id, user.UserName, provider, props, additionalClaims.ToArray());
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
string returnUrl = result.Properties.Items["returnUrl"];
if (_interaction.IsValidReturnUrl(returnUrl) || Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return Redirect("~/");
}