0

我正在尝试使用 Windows 身份验证实现 Identityserver4(版本 4.0.0)。在 Visual Studio 上运行时,它可以正常工作。当我将其部署到 IIS 时,输入凭据后弹出窗口不断显示(401 状态)。下面是我的代码。我也尝试部署Duende Software 的示例源,但得到了相同的结果。我认为我的结尾缺少一些配置。请帮助我。

登录页面 程序.cs

public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .UseSerilog()
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });

启动设置.json

"windowsAuthentication": true,

设置

外部控制器.cs

    public async Task<IActionResult> Challenge(string scheme, string returnUrl)
        {
            if (string.IsNullOrEmpty(returnUrl)) returnUrl = "~/";
            
            if(scheme ==  "Windows")
            {
                return await ChallengeWindowsAsync(returnUrl);
            }
            
            // validate returnUrl - either it is a valid OIDC URL or back to a local page
            if (Url.IsLocalUrl(returnUrl) == false && _interaction.IsValidReturnUrl(returnUrl) == false)
            {
                // user might have clicked on a malicious link - should be logged
                throw new Exception("invalid return URL");
            }
            
            // start challenge and roundtrip the return URL and scheme 
            var props = new AuthenticationProperties
            {
                RedirectUri = Url.Action(nameof(Callback)), 
                Items =
                {
                    { "returnUrl", returnUrl }, 
                    { "scheme", scheme },
                }
            };

            return Challenge(props, scheme);
            
        }
    //ChallengeWindowsAsync
private async Task<IActionResult> ChallengeWindowsAsync(string returnUrl)
        {

            // see if windows auth has already been requested and succeeded
            var result = await HttpContext.AuthenticateAsync("Windows");

            if (result?.Principal is WindowsPrincipal wp)
            {
                // we will issue the external cookie and then redirect the
                // user back to the external callback, in essence, treating windows
                // auth the same as any other external authentication mechanism
                var props = new AuthenticationProperties()
                {
                    RedirectUri = Url.Action("Callback"),
                    Items =
            {
                { "returnUrl", returnUrl },
                { "scheme", "Windows" },
            }
                };

                var id = new ClaimsIdentity("Windows");

                // the sid is a good sub value
                id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.FindFirst(ClaimTypes.PrimarySid).Value));

                // the account name is the closest we have to a display name
                id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));

                // add the groups as claims -- be careful if the number of groups is too large
                var wi = wp.Identity as WindowsIdentity;

                // translate group SIDs to display names
                var groups = wi.Groups.Translate(typeof(NTAccount));
                var roles = groups.Select(x => new Claim(JwtClaimTypes.Role, x.Value));
                id.AddClaims(roles);


                await HttpContext.SignInAsync(
                    IdentityServerConstants.ExternalCookieAuthenticationScheme,
                    new ClaimsPrincipal(id),
                    props);
                return Redirect(props.RedirectUri);
            }
            else
            {
                // trigger windows auth
                // since windows auth don't support the redirect uri,
                // this URL is re-triggered when we call challenge
                return Challenge("Windows");
            }
        }

IIS 配置 Windows 身份验证已启用 IIS IIS

4

0 回答 0