Windows身份验证不接受凭据

时间:2017-10-13 12:19:21

标签: c# asp.net-core windows-authentication openid-connect identityserver4

我将Identity Server(带有Identity Server 4 2.0.0的ASP.NET Core 2)配置为使用Kestrel和IISIntegration,并在launchSettings.json上启用了匿名和Windows身份验证。我还配置了这样的IISOptions:

services.Configure<IISOptions>(iis =>
{
    iis.AutomaticAuthentication = false;
    iis.AuthenticationDisplayName = "Windows";
});

services.AddAuthentication();
services.AddCors()
        .AddMvc();
services.AddIdentityServer(); // with AspNetIdentity configured

app.UseAuthentication()
    .UseIdentityServer()
    .UseStaticFiles()
    .UseCors(options => options.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin())
    .UseMvcWithDefaultRoute();

我有这个客户端(也是启用了Windows和匿名身份验证的ASP.NET Core 2,在带有IISIntegration的Kestrel上运行)

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddOpenIdConnect(config =>
    {
        config.Authority = "http://localhost:5000";
        config.RequireHttpsMetadata = false;
        config.ClientId = "MyClientId";
        config.ClientSecret = "MyClientSecret";
        config.SaveTokens = true;
        config.GetClaimsFromUserInfoEndpoint = true;
    });

services.AddMvc();

Identity Server在http://localhost:5000上运行,客户端在http://localhost:2040上运行。

当我启动客户端时,它会正确显示Identity Server的登录屏幕,但在单击Windows身份验证时,只会继续询问凭据。我已经查看了两个应用程序的输出窗口,并且任何一方都没有异常提升。我尝试将Identity Server部署到IIS服务器(启用了Windows身份验证,并且其池在NETWORK SERVICE下运行),并重现了相同的行为。

1 个答案:

答案 0 :(得分:4)

我终于明白了。我遵循了不支持Windows身份验证的Combined_AspNetIdentity_and_EntityFrameworkStorage快速入门。复制4_ImplicitFlowAuthenticationWithExternal快速入门中的相关代码可解决此问题。

为简单起见,这里是允许进行Windows身份验证的快速入门代码,修改为使用Identity作为用户存储:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> ExternalLogin(string provider, string returnUrl = null)
{
    var props = new AuthenticationProperties()
    {
        RedirectUri = Url.Action("ExternalLoginCallback"),
        Items =
        {
            { "returnUrl", returnUrl },
            { "scheme", AccountOptions.WindowsAuthenticationSchemeName }
        }
    };

    // I only care about Windows as an external provider
    var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName);
    if (result?.Principal is WindowsPrincipal wp)
    {
        var id = new ClaimsIdentity(provider);
        id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
        id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));

        await HttpContext.SignInAsync(
            IdentityServerConstants.ExternalCookieAuthenticationScheme,
            new ClaimsPrincipal(id),
            props);
        return Redirect(props.RedirectUri);
    }
    else
    {
        return Challenge(AccountOptions.WindowsAuthenticationSchemeName);
    }
}

[HttpGet]
[AllowAnonymous]
public async Task<IActionResult> ExternalLoginCallback()
{
    var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
    if (result?.Succeeded != true)
    {
        throw new Exception("External authentication error");
    }

    var externalUser = result.Principal;
    var claims = externalUser.Claims.ToList();

    var userIdClaim = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Subject);
    if (userIdClaim == null)
    {
        userIdClaim = claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier);
    }

    if (userIdClaim == null)
    {
        throw new Exception("Unknown userid");
    }

    claims.Remove(userIdClaim);
    string provider = result.Properties.Items["scheme"];
    string userId = userIdClaim.Value;

    var additionalClaims = new List<Claim>();

    // I changed this to use Identity as a user store
    var user = await userManager.FindByNameAsync(userId);
    if (user == null)
    {
        user = new ApplicationUser
        {
            UserName = userId
        };

        var creationResult = await userManager.CreateAsync(user);

        if (!creationResult.Succeeded)
        {
            throw new Exception($"Could not create new user: {creationResult.Errors.FirstOrDefault()?.Description}");
        }
    }
    else
    {
        additionalClaims.AddRange(await userManager.GetClaimsAsync(user));
    }

    var sid = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId);
    if (sid != null)
    {
        additionalClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value));
    }

    AuthenticationProperties props = null;
    string id_token = result.Properties.GetTokenValue("id_token");
    if (id_token != null)
    {
        props = new AuthenticationProperties();
        props.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = id_token } });
    }

    await HttpContext.SignInAsync(user.Id, user.UserName, provider, props, additionalClaims.ToArray());

    await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

    string returnUrl = result.Properties.Items["returnUrl"];
    if (_interaction.IsValidReturnUrl(returnUrl) || Url.IsLocalUrl(returnUrl))
    {
        return Redirect(returnUrl);
    }

    return Redirect("~/");
}
相关问题
最新问题