Windows 集成身份验证Integrated Windows Authentication

作者: Mike Wassonby Mike Wasson

使用集成的 Windows 身份验证,用户可以使用 Kerberos 或 NTLM 通过其 Windows 凭据进行登录。Integrated Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. 客户端在授权标头中发送凭据。The client sends credentials in the Authorization header. Windows 身份验证最适合 Intranet 环境。Windows authentication is best suited for an intranet environment. 有关详细信息,请参阅 Windows 身份验证For more information, see Windows Authentication.

优点Advantages 缺点Disadvantages
内置到 IIS 中。Built into IIS. 不建议用于 Internet 应用程序。Not recommended for Internet applications.
不会发送请求中的用户凭据。Does not send the user credentials in the request. 要求在客户端中提供 Kerberos 或 NTLM 支持。Requires Kerberos or NTLM support in the client.
如果客户端计算机属于域(例如 intranet 应用程序),则用户无需输入凭据。If the client computer belongs to the domain (for example, intranet application), the user does not need to enter credentials. 客户端必须在 Active Directory 域中。Client must be in the Active Directory domain.

Note

如果你的应用程序托管在 Azure 上,并且你有本地 Active Directory 域,请考虑将你的本地 AD 与 Azure Active Directory 进行联合。If your application is hosted on Azure and you have an on-premise Active Directory domain, consider federating your on-premise AD with Azure Active Directory. 这样,用户便可以使用其本地凭据登录,但 Azure AD 会执行身份验证。That way, users can log in with their on-premise credentials, but the authentication is performed by Azure AD. 有关详细信息,请参阅Azure 身份验证For more information, see Azure Authentication.

若要创建使用集成 Windows 身份验证的应用程序,请在 MVC 4 项目向导中选择 "Intranet 应用程序" 模板。To create an application that uses Integrated Windows authentication, select the "Intranet Application" template in the MVC 4 project wizard. 此项目模板将以下设置置于 Web.config 文件中:This project template puts the following setting in the Web.config file:

<system.web>
    <authentication mode="Windows" />
</system.web>

在客户端,集成的 Windows 身份验证与支持协商身份验证方案的任何浏览器(包括最主要的浏览器)一起工作。On the client side, Integrated Windows authentication works with any browser that supports the Negotiate authentication scheme, which includes most major browsers. 对于 .NET 客户端应用程序, HttpClient类支持 Windows 身份验证:For .NET client applications, the HttpClient class supports Windows authentication:

HttpClientHandler handler = new HttpClientHandler()
{
    UseDefaultCredentials = true
};

HttpClient client = new HttpClient(handler);

Windows 身份验证容易受到跨站点请求伪造(CSRF)攻击。Windows authentication is vulnerable to cross-site request forgery (CSRF) attacks. 请参阅防止跨站点请求伪造(CSRF)攻击See Preventing Cross-Site Request Forgery (CSRF) Attacks.