setting up integrated security, ii6
So far
I have made my web site into an application.
I have disabled annonymous, on IIS6
<authentication mode="Windows"/>
<identity impersonate="true"/>
in my webconfig
and i am using both
HttpContext.Current.User.Identity.Name
Request.LogonUserIdentity.Name.ToString
to retrive the username.
The probl开发者_JS百科em is i am being prompted to logon, i don't want the user to have to login as this is an intranet.
A lot of factors contribute to being prompted for a login. All of the items below assume your using a company intranet site with Active Directory authentication.
- The users Must be using IE for pass through authentication to work. FF, Chrome, etc simply can't pass the windows login credentials.
- The URL being accessed must be seen by IE an an internal Intranet page. Due to security issues IE will not pass credentials to say mysite.com as it's seen as an external page and no on the Intranet.
- If there is a period in the domain name used to access the web server (intranet.ourcompany) or anything similar IE will (most of the time) see the period as being an external resource and not pass credentials. In my experience it gets intermittent at this point and even adding the site to the trusted sites gets mixed results.
- The URL you are trying to access must be setup as a Trusted Site in the IE security settings or IE will not pass the credentials.
- In the IE security settings for Trusted Sites (custom level) there is a user authentication / logon section (this depends on the IE version you are running). This setting should be set to "automatic login with current user name and password). These settings are for IE 8. IE 6/7 generally don't need this setting if everything else is setup.
- In IIS make sure Windows Authentication is enabled for the website under Authentication (assuming IIS 7+). In IIS 6 you have to turn on "Integrated Windows Authentication" and "Digest Authentication for Windows domain servers". Also make sure you set the Realm to the FQDN of your Active Directory domain and disable Anonymous access.
The IE settings you will want to push to your users via Group Policy.
I've found the best results when you have an intranet URL that looks something like http://internalname (whatever name you want) with no periods, .com or FQDN, etc.
精彩评论