3

I have an MVC application using Windows Auth which consumes a Web Api service. Both are hosted within the same domain but sat on different servers (MVC is publicly accessible). Now lets suppose the Web Api service has a method "CreateFooBar" which requires that the user is in a particular AD group. At the MVC layer I can easily check that the user is indeed in the group, package up a JSON message and call "CreateFooBar". But how does the service perform such a check? How can I tell it which user has made the request?

Initial thought is just to add the userID to the JSON message and let the service method retrieve the details but this would allow someone to just pass in any userID they like so clearly this won't work. Can someone point me in the right direction please?

4

2 回答 2

4

您应该使用类似 Kerberos 委托的东西。用户将在 MVC 应用程序中使用 Kerberos 进行身份验证,然后 Kerberos 令牌将传递给 Web API 调用。

我们目前正在这样做以将凭据从 ASP.NET 应用程序传递到 Exchange Web 服务器。它工作正常。

如果您想了解更多信息,请查看此 KB:http: //support.microsoft.com/kb/810572

于 2013-09-04T18:14:00.520 回答
0

您应该研究 windows 身份基础可以为您做什么。通过在您的环境中设置 adfs 并使用声明,您将解决您所谈论的大多数问题。

您将需要 Visual Studio 的身份和访问插件,您可以使用自托管的 sts 测试这个想法。

于 2013-09-04T19:36:42.627 回答