如何解决IIS 10下的IdentityServer4 Windows登录无法成功进行身份验证
使用本地计算机上的IIS Express,我可以运行IdentityServer4 QuickStart UI项目并成功登录。但是,一旦将其部署到生产环境中,我将无法使其正常工作。
在站点的“应用程序池”上,我有一个域帐户设置(几乎授予了所有可能的权限)。我尝试过切换“匿名身份验证”的各种方式。我已经以多种不同的方式(无SSL,仅SSL,完全开放的CORS,禁用了所有安全策略)从头开始重新创建了整个应用程序,甚至该应用程序的最基本版本似乎也遭受了完全一样的问题。
在对应用程序进行一些记录之后,我可以看到我正在从AD中获取主题ID和名称。
这里是ProcessWindowsLoginAsync方法,只有很少的日志记录更改。
private async Task<IActionResult> ProcessWindowsLoginAsync(string returnUrl)
{
var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName);
if (result?.Principal is WindowsPrincipal wp)
{
var props = new AuthenticationProperties
{
RedirectUri = Url.Action("Callback"),Items =
{
{ "returnUrl",returnUrl },{ "scheme",AccountOptions.WindowsAuthenticationSchemeName },}
};
var id = new ClaimsIdentity(AccountOptions.WindowsAuthenticationSchemeName);
var sub = wp.FindFirst(ClaimTypes.PrimarySid).Value;
id.AddClaim(new Claim(JwtClaimTypes.Subject,sub));
id.AddClaim(new Claim(JwtClaimTypes.Name,wp.Identity.Name));
_logger.LogInformation("Assigning claims. Subject {@Subject}. Name {@Name}",sub,wp.Identity.Name);
if (AccountOptions.IncludeWindowsGroups)
{
var wi = wp.Identity as WindowsIdentity;
var groups = wi!.Groups!.Translate(typeof(NTAccount));
var roles = groups!.Select(x => new Claim(JwtClaimTypes.Role,x.Value));
id.AddClaims(roles);
}
await HttpContext.SignInAsync(
IdentityServerConstants.ExternalCookieAuthenticationScheme,new ClaimsPrincipal(id),props);
return Redirect(props.RedirectUri);
}
return Challenge(AccountOptions.WindowsAuthenticationSchemeName);
}
上面的代码吐出类似的东西(去除了识别信息):
Assigning claims. Subject S-0-0-00-0000000000-0000000000-0000000000-00000. Name DOMAIN\NAME
上面的代码执行后,将调用外部回调方法,并立即引发异常:
[HttpGet]
public async Task<IActionResult> Callback()
{
var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (result?.Succeeded != true)
{
_logger.LogInformation("We were not successfully able to sign in. Failure: {@Failure}. None: {@None}",result?.Failure,result?.None);
if (result?.Failure != null)
throw result.Failure;
throw new Exception("External authentication error");
}
if (_logger.IsEnabled(LogLevel.Debug))
{
var externalClaims = result.Principal.Claims.Select(c => $"{c.Type}: {c.Value}");
_logger.LogDebug("External claims: {@claims}",externalClaims);
}
var (user,provider,providerUserId,claims) = FindUserFromExternalProvider(result);
if (user == null)
user = AutoProvisionUser(provider,claims);
var additionalLocalClaims = new List<Claim>();
var localSignInProps = new AuthenticationProperties();
ProcessLoginCallbackForOidc(result,additionalLocalClaims,localSignInProps);
var issuer = new IdentityServerUser(user.SubjectId)
{
DisplayName = user.Username,IdentityProvider = provider,AdditionalClaims = additionalLocalClaims
};
await HttpContext.SignInAsync(issuer,localSignInProps);
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
var returnUrl = result.Properties.Items["returnUrl"] ?? "~/";
var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
await _events.RaiseAsync(new UserLoginSuccessEvent(provider,user.SubjectId,user.Username,true,context?.ClientId));
if (context != null)
if (await _clientStore.IsPkceClientAsync(context.ClientId))
return this.LoadingPage("Redirect",returnUrl);
return Redirect(returnUrl);
}
从日志中,我可以知道它在尝试进行身份验证后立即失败。没有其他错误,但是有一些有趣的记录日志(按顺序):
Performing protect operation to key {xxxxxxxx-xxxx-xxxx-xxxx-b7e4d6dd250a} with purposes ('C:\websites\identity.ourdomain.com','Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware','idsrv.external','v2').
AuthenticationScheme: idsrv.external signed in.
Executing RedirectResult,redirecting to /External/Callback
Executing action method IdentityServer4.Quickstart.UI.ExternalController.Callback (Idsvr.Api) - Validation state: Valid
AuthenticationScheme: idsrv.external was not authenticated.
(Exception)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。