在 ASP.NET Core 中設定 Windows 驗證Configure Windows Authentication in ASP.NET Core

作者:Scott AddieLuke LathamBy Scott Addie and Luke Latham

Windows 驗證 (也稱為交涉、 Kerberos 或 NTLM 驗證) 可以設定與裝載的 ASP.NET Core 應用程式IISKestrel,或HTTP.sys.Windows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS, Kestrel, or HTTP.sys.

Windows 驗證 (也稱為交涉、 Kerberos 或 NTLM 驗證) 可以設定與裝載的 ASP.NET Core 應用程式IIS或是HTTP.sysWindows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS or HTTP.sys.

Windows 驗證仰賴作業系統來驗證 ASP.NET Core 應用程式的使用者。Windows Authentication relies on the operating system to authenticate users of ASP.NET Core apps. 當您的伺服器在公司網路上執行時,您可以透過 Active Directory 網域身分識別進行 Windows 驗證或透過 Windows 帳戶來識別使用者。You can use Windows Authentication when your server runs on a corporate network using Active Directory domain identities or Windows accounts to identify users. Windows 驗證最適合用於使用者、用戶端應用程式與 Web 伺服器皆屬於相同 Windows 網域的內部網路環境。Windows Authentication is best suited to intranet environments where users, client apps, and web servers belong to the same Windows domain.

注意

使用 HTTP/2,不支援 Windows 驗證。Windows Authentication isn't supported with HTTP/2. 可以傳送 HTTP/2 回應的驗證挑戰,但用戶端驗證之前,必須降級為 HTTP/1.1。Authentication challenges can be sent on HTTP/2 responses, but the client must downgrade to HTTP/1.1 before authenticating.

IIS/IIS ExpressIIS/IIS Express

加入驗證服務所叫用AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration命名空間) 中Startup.ConfigureServices:Add authentication services by invoking AddAuthentication (Microsoft.AspNetCore.Server.IISIntegration namespace) in Startup.ConfigureServices:

services.AddAuthentication(IISDefaults.AuthenticationScheme);

啟動設定 (偵錯工具)Launch settings (debugger)

啟動設定的設定只會影響Properties/launchSettings.json適用於 IIS Express 檔案,並不會設定 IIS 的 Windows 驗證。Configuration for launch settings only affects the Properties/launchSettings.json file for IIS Express and doesn't configure IIS for Windows Authentication. 伺服器組態中會說明IIS一節。Server configuration is explained in the IIS section.

Web 應用程式可透過 Visual Studio 或.NET Core CLI 的範本可以設定為支援 Windows 驗證,這會更新Properties/launchSettings.json檔案自動的。The Web Application template available via Visual Studio or the .NET Core CLI can be configured to support Windows Authentication, which updates the Properties/launchSettings.json file automatically.

新的專案New project

  1. 建立新的專案。Create a new project.
  2. 選取 [ASP.NET Core Web 應用程式] 。Select ASP.NET Core Web Application. 選取 [下一步] 。Select Next.
  3. 提供的名稱專案名稱欄位。Provide a name in the Project name field. 確認位置項目是否正確,或提供專案的位置。Confirm the Location entry is correct or provide a location for the project. 選取 [建立] 。Select Create.
  4. 選取 變更下方驗證Select Change under Authentication.
  5. 變更驗證視窗中,選取Windows 驗證In the Change Authentication window, select Windows Authentication. 選取 [確定] 。Select OK.
  6. 選取 [Web 應用程式] 。Select Web Application.
  7. 選取 [建立] 。Select Create.

執行應用程式。Run the app. 使用者名稱會出現在呈現的應用程式使用者介面。The username appears in the rendered app's user interface.

現有專案Existing project

專案的屬性會啟用 Windows 驗證,並停用匿名驗證:The project's properties enable Windows Authentication and disable Anonymous Authentication:

  1. 以滑鼠右鍵按一下 [方案總管] 中的專案,然後選取 [屬性] 。Right-click the project in Solution Explorer and select Properties.
  2. 選取 [偵錯] 索引標籤。Select the Debug tab.
  3. 清除核取方塊啟用匿名驗證Clear the check box for Enable Anonymous Authentication.
  4. 選取核取方塊啟用 Windows 驗證Select the check box for Enable Windows Authentication.
  5. 儲存並關閉 [屬性] 頁面。Save and close the property page.

或者,設定屬性,在iisSettings的節點launchSettings.json檔案:Alternatively, the properties can be configured in the iisSettings node of the launchSettings.json file:

"iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": false,
    "iisExpress": {
        "applicationUrl": "http://localhost:52171/",
        "sslPort": 44308
    }
}

當修改現有的專案,請確認專案檔包含的套件參考Microsoft.AspNetCore.App 中繼套件或是 Microsoft.AspNetCore.Authentication NuGet 套件。When modifying an existing project, confirm that the project file includes a package reference for the Microsoft.AspNetCore.App metapackage or the Microsoft.AspNetCore.Authentication NuGet package.

IISIIS

IIS 會使用ASP.NET Core 模組主機 ASP.NET Core 應用程式。IIS uses the ASP.NET Core Module to host ASP.NET Core apps. Windows 驗證針對透過 IIS web.config檔案。Windows Authentication is configured for IIS via the web.config file. 下列各節將示範如何:The following sections show how to:

  • 提供本機web.config部署應用程式時,請在伺服器啟動 Windows 驗證的檔案。Provide a local web.config file that activates Windows Authentication on the server when the app is deployed.
  • 使用 IIS 管理員設定web.config已經部署到伺服器的 ASP.NET Core 應用程式的檔案。Use the IIS Manager to configure the web.config file of an ASP.NET Core app that has already been deployed to the server.

如果您尚未這麼做,請啟用 IIS 可裝載 ASP.NET Core 應用程式。If you haven't already done so, enable IIS to host ASP.NET Core apps. 如需詳細資訊,請參閱在使用 IIS 的 Windows 上裝載 ASP.NET CoreFor more information, see 在使用 IIS 的 Windows 上裝載 ASP.NET Core.

啟用 Windows 驗證的 IIS 角色服務。Enable the IIS Role Service for Windows Authentication. 如需詳細資訊,請參閱 < 啟用 IIS 角色服務 (請參閱步驟 2) 中的 Windows 驗證For more information, see Enable Windows Authentication in IIS Role Services (see Step 2).

IIS Integration 中介軟體預設設定來自動驗證要求。IIS Integration Middleware is configured to automatically authenticate requests by default. 如需詳細資訊,請參閱裝載 ASP.NET Core 與 IIS 的 Windows 上:IIS 選項 (AutomaticAuthentication)For more information, see Host ASP.NET Core on Windows with IIS: IIS options (AutomaticAuthentication).

ASP.NET Core 模組預設設定為轉送至應用程式的 Windows 驗證語彙基元。The ASP.NET Core Module is configured to forward the Windows Authentication token to the app by default. 如需詳細資訊,請參閱ASP.NET Core 模組組態參考:AspNetCore 元素的屬性For more information, see ASP.NET Core Module configuration reference: Attributes of the aspNetCore element.

使用任一下列其中一個方法:Use either of the following approaches:

  • 發行和部署專案,再新增下列web.config至專案根目錄的檔案:Before publishing and deploying the project, add the following web.config file to the project root:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <location path="." inheritInChildApplications="false">
        <system.webServer>
          <security>
            <authentication>
              <anonymousAuthentication enabled="false" />
              <windowsAuthentication enabled="true" />
            </authentication>
          </security>
        </system.webServer>
      </location>
    </configuration>
    

    當專案發行.NET Core SDK (不含<IsTransformWebConfigDisabled>屬性設定為true專案檔中),發行web.config檔案包含<location><system.webServer><security><authentication>一節。When the project is published by the .NET Core SDK (without the <IsTransformWebConfigDisabled> property set to true in the project file), the published web.config file includes the <location><system.webServer><security><authentication> section. 如需詳細資訊<IsTransformWebConfigDisabled>屬性,請參閱在使用 IIS 的 Windows 上裝載 ASP.NET CoreFor more information on the <IsTransformWebConfigDisabled> property, see 在使用 IIS 的 Windows 上裝載 ASP.NET Core.

  • 發行和部署專案之後, 執行伺服器端設定使用 IIS 管理員:After publishing and deploying the project, perform server-side configuration with the IIS Manager:

    1. 在 [IIS 管理員] 中,選取 IIS 站台之下站台節點連線資訊看板。In IIS Manager, select the IIS site under the Sites node of the Connections sidebar.
    2. 按兩下驗證IIS區域。Double-click Authentication in the IIS area.
    3. 選取 匿名驗證Select Anonymous Authentication. 選取 停用動作資訊看板。Select Disable in the Actions sidebar.
    4. 選取 Windows 驗證Select Windows Authentication. 選取 啟用動作資訊看板。Select Enable in the Actions sidebar.

    IIS 管理員在採取這些動作,會修改應用程式的web.config檔案。When these actions are taken, IIS Manager modifies the app's web.config file. A<system.webServer><security><authentication>節點新增與更新的設定,如anonymousAuthenticationwindowsAuthentication:A <system.webServer><security><authentication> node is added with updated settings for anonymousAuthentication and windowsAuthentication:

    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="false" />
          <windowsAuthentication enabled="true" />
        </authentication>
      </security>
    </system.webServer>
    

    <system.webServer>區段新增至web.config由 IIS 管理員中的檔案超出應用程式的<location>發佈應用程式時,由.NET Core SDK 加入的區段。The <system.webServer> section added to the web.config file by IIS Manager is outside of the app's <location> section added by the .NET Core SDK when the app is published. 因為區段會新增外部<location>節點,設定會由任何繼承子應用程式目前的應用程式。Because the section is added outside of the <location> node, the settings are inherited by any sub-apps to the current app. 若要防止繼承,移動加入<security>區段內的<location><system.webServer>.NET Core SDK 提供的一節。To prevent inheritance, move the added <security> section inside of the <location><system.webServer> section that the .NET Core SDK provided.

    將 IIS 設定使用 IIS 管理員時,它只會影響應用程式的web.config伺服器上的檔案。When IIS Manager is used to add the IIS configuration, it only affects the app's web.config file on the server. 後續部署應用程式可能會覆寫伺服器上的設定,如果伺服器的複本web.config專案的取代web.config檔案。A subsequent deployment of the app may overwrite the settings on the server if the server's copy of web.config is replaced by the project's web.config file. 使用任一下列其中一個方法來管理設定:Use either of the following approaches to manage the settings:

    • 使用 IIS 管理員中的設定重設web.config檔案之後部署上覆寫該檔案。Use IIS Manager to reset the settings in the web.config file after the file is overwritten on deployment.
    • 新增web.config 檔案應用程式在本機使用的設定。Add a web.config file to the app locally with the settings.

KestrelKestrel

Microsoft.AspNetCore.Authentication.Negotiate NuGet 套件可以搭配Kestrel以支援在 Windows、 Linux 和 macOS 上使用 Negotiate、 Kerberos 和 NTLM Windows 驗證。The Microsoft.AspNetCore.Authentication.Negotiate NuGet package can be used with Kestrel to support Windows Authentication using Negotiate, Kerberos, and NTLM on Windows, Linux, and macOS.

警告

認證可以保存在連接上的要求。Credentials can be persisted across requests on a connection. 交涉驗證必須不使用 proxy 使用,除非 proxy 會使用 Kestrel 的 1 對 1 連接同質 (持續連線)。Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel.

注意

如果基礎伺服器以原生方式支援 Windows 驗證,而且如果已啟用,會偵測到的交涉處理常式。The Negotiate handler detects if the underlying server supports Windows Authentication natively and if it's enabled. 如果伺服器支援 Windows 驗證,但已停用,詢問是否要啟用伺服器實作擲回錯誤。If the server supports Windows Authentication but it's disabled, an error is thrown asking you to enable the server implementation. 在伺服器中啟用 Windows 驗證時,Negotiate 處理常式無障礙地轉送給它。When Windows Authentication is enabled in the server, the Negotiate handler transparently forwards to it.

加入驗證服務所叫用AddAuthentication(Microsoft.AspNetCore.Authentication.Negotiate命名空間) 和AddNegotitate(Microsoft.AspNetCore.Authentication.Negotiate命名空間) 中Startup.ConfigureServices:Add authentication services by invoking AddAuthentication (Microsoft.AspNetCore.Authentication.Negotiate namespace) and AddNegotitate (Microsoft.AspNetCore.Authentication.Negotiate namespace) in Startup.ConfigureServices:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
   .AddNegotiate();

新增驗證中介軟體,藉由呼叫UseAuthenticationStartup.Configure:Add Authentication Middleware by calling UseAuthentication in Startup.Configure:

app.UseAuthentication();

app.UseMvc();

如需有關中介軟體的詳細資訊,請參閱ASP.NET Core 中介軟體For more information on middleware, see ASP.NET Core 中介軟體.

允許匿名要求。Anonymous requests are allowed. 使用ASP.NET Core 授權挑戰驗證的匿名要求。Use ASP.NET Core Authorization to challenge anonymous requests for authentication.

Windows 環境設定Windows environment configuration

Microsoft.AspNetCore.Authentication.Negotiate元件會執行使用者模式驗證。The Microsoft.AspNetCore.Authentication.Negotiate component performs User Mode authentication. 服務主體名稱 (Spn) 必須將執行服務,而不是電腦帳戶的使用者帳戶。Service Principal Names (SPNs) must be added to the user account running the service, not the machine account. 執行setspn -S HTTP/mysrevername.mydomain.com myuser在系統管理命令介面中。Execute setspn -S HTTP/mysrevername.mydomain.com myuser in an administrative command shell.

Linux 和 macOS 的環境設定Linux and macOS environment configuration

加入 Windows 網域中的 Linux 或 macOS 機器的指示位於到 SQL Server 使用 Windows 驗證 Kerberos 連接 Azure Data Studio文章。Instructions for joining a Linux or macOS machine to a Windows domain are available in the Connect Azure Data Studio to your SQL Server using Windows authentication - Kerberos article. 指示在網域上建立的 Linux 機器的機器帳戶。The instructions create a machine account for the Linux machine on the domain. Spn 必須新增至該電腦帳戶。SPNs must be added to that machine account.

注意

遵循中的指導方針時到 SQL Server 使用 Windows 驗證 Kerberos 連接 Azure Data Studio文章中,取代python-software-properties使用python3-software-properties如有需要。When following the guidance in the Connect Azure Data Studio to your SQL Server using Windows authentication - Kerberos article, replace python-software-properties with python3-software-properties if needed.

一旦在 Linux 或 macOS 機器已加入網域,需要額外的步驟,以提供keytab 檔案利用 Spn:Once the Linux or macOS machine is joined to the domain, additional steps are required to provide a keytab file with the SPNs:

  • 在網域控制站,用電腦帳戶來加入新的 web 服務的 Spn:On the domain controller, add new web service SPNs to the machine account:
    • setspn -S HTTP/mywebservice.mydomain.com mymachine
    • setspn -S HTTP/mywebservice@MYDOMAIN.COM mymachine
  • 使用ktpass產生 keytab 檔案:Use ktpass to generate a keytab file:
    • ktpass -princ HTTP/mywebservice.mydomain.com@MYDOMAIN.COM -pass myKeyTabFilePassword -mapuser MYDOMAIN\mymachine$ -pType KRB5_NT_PRINCIPAL -out c:\temp\mymachine.HTTP.keytab -crypto AES256-SHA1
    • 某些欄位中必須指定大寫所示。Some fields must be specified in uppercase as indicated.
  • 將 keytab 檔案複製到 Linux 或 macOS 電腦。Copy the keytab file to the Linux or macOS machine.
  • 選取透過環境變數的 keytab 檔案: export KRB5_KTNAME=/tmp/mymachine.HTTP.keytabSelect the keytab file via an environment variable: export KRB5_KTNAME=/tmp/mymachine.HTTP.keytab
  • 叫用klist以顯示目前可供使用的 Spn。Invoke klist to show the SPNs currently available for use.

注意

Keytab 檔案包含網域存取認證,而且必須據此加以保護。A keytab file contains domain access credentials and must be protected accordingly.

HTTP.sysHTTP.sys

HTTP.sys支援使用 Negotiate、 NTLM、 或基本驗證的核心模式 Windows 驗證。HTTP.sys supports Kernel Mode Windows Authentication using Negotiate, NTLM, or Basic authentication.

加入驗證服務所叫用AddAuthentication(Microsoft.AspNetCore.Server.HttpSys命名空間) 中Startup.ConfigureServices:Add authentication services by invoking AddAuthentication (Microsoft.AspNetCore.Server.HttpSys namespace) in Startup.ConfigureServices:

services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);

使用 Windows 驗證使用 HTTP.sys 的應用程式的 web 主機設定 (Program.cs)。Configure the app's web host to use HTTP.sys with Windows Authentication (Program.cs). UseHttpSys 處於Microsoft.AspNetCore.Server.HttpSys命名空間。UseHttpSys is in the Microsoft.AspNetCore.Server.HttpSys namespace.

public class Program
{
    public static void Main(string[] args)
    {
        CreateHostBuilder(args).Build().Run();
    }

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>()
                    .UseHttpSys(options =>
                    {
                        options.Authentication.Schemes = 
                            AuthenticationSchemes.NTLM | 
                            AuthenticationSchemes.Negotiate;
                        options.Authentication.AllowAnonymous = false;
                    });
            });
}
public class Program
{
    public static void Main(string[] args) => 
        BuildWebHost(args).Run();

    public static IWebHost BuildWebHost(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseHttpSys(options =>
            {
                options.Authentication.Schemes = 
                    AuthenticationSchemes.NTLM | 
                    AuthenticationSchemes.Negotiate;
                options.Authentication.AllowAnonymous = false;
            })
            .Build();
}

注意

HTTP.sys 使用 Kerberos 驗證通訊協定委派給核心模式驗證。HTTP.sys delegates to kernel mode authentication with the Kerberos authentication protocol. Kerberos 和 HTTP.sys 不支援使用者模式驗證。User mode authentication isn't supported with Kerberos and HTTP.sys. 必須使用電腦帳戶來解密 Kerberos 權杖/票證,該權杖/票證取自 Active Directory,並由用戶端將其轉送至伺服器來驗證使用者。The machine account must be used to decrypt the Kerberos token/ticket that's obtained from Active Directory and forwarded by the client to the server to authenticate the user. 請註冊主機的服務主體名稱 (SPN),而非應用程式的使用者。Register the Service Principal Name (SPN) for the host, not the user of the app.

注意

HTTP.sys 不支援 Nano Server 1709 版或更新版本上。HTTP.sys isn't supported on Nano Server version 1709 or later. 若要使用 Windows 驗證和 HTTP.sys 使用 Nano Server,請使用Server Core (microsoft/windowsservercore) 容器To use Windows Authentication and HTTP.sys with Nano Server, use a Server Core (microsoft/windowsservercore) container. 如需有關 Server Core 的詳細資訊,請參閱什麼是 Windows Server 中的 Server Core 安裝選項?For more information on Server Core, see What is the Server Core installation option in Windows Server?.

授權使用者Authorize users

匿名存取的設定狀態決定的方式[Authorize][AllowAnonymous]應用程式中使用屬性。The configuration state of anonymous access determines the way in which the [Authorize] and [AllowAnonymous] attributes are used in the app. 下列兩節會說明如何處理不允許和允許設定狀態的匿名存取。The following two sections explain how to handle the disallowed and allowed configuration states of anonymous access.

不允許匿名存取Disallow anonymous access

當您啟用 Windows 驗證,並已停用匿名存取,[Authorize][AllowAnonymous]屬性沒有任何作用。When Windows Authentication is enabled and anonymous access is disabled, the [Authorize] and [AllowAnonymous] attributes have no effect. 如果 IIS 站台設定為不允許匿名存取,要求永遠不會到達應用程式。If an IIS site is configured to disallow anonymous access, the request never reaches the app. 基於這個理由,[AllowAnonymous]屬性不適用。For this reason, the [AllowAnonymous] attribute isn't applicable.

允許匿名存取Allow anonymous access

當啟用 Windows 驗證和匿名存取時,使用[Authorize][AllowAnonymous]屬性。When both Windows Authentication and anonymous access are enabled, use the [Authorize] and [AllowAnonymous] attributes. [Authorize]屬性可讓您保護應用程式需要驗證的端點。The [Authorize] attribute allows you to secure endpoints of the app which require authentication. [AllowAnonymous]屬性覆寫[Authorize]允許匿名存取的應用程式中的屬性。The [AllowAnonymous] attribute overrides the [Authorize] attribute in apps that allow anonymous access. 屬性使用方式詳細資料,請參閱ASP.NET Core 中的簡單授權For attribute usage details, see ASP.NET Core 中的簡單授權.

注意

根據預設,缺少授權,才能存取頁面的使用者會看到空的 HTTP 403 回應。By default, users who lack authorization to access a page are presented with an empty HTTP 403 response. StatusCodePages 中介軟體可以設定為使用者提供更好的 「 拒絕存取 」 體驗。The StatusCodePages Middleware can be configured to provide users with a better "Access Denied" experience.

模擬Impersonation

ASP.NET Core 不會實作模擬。ASP.NET Core doesn't implement impersonation. 應用程式執行的所有要求,使用應用程式集區或處理序身分識別的應用程式的身分識別。Apps run with the app's identity for all requests, using app pool or process identity. 如果應用程式應該執行代表使用者的動作,使用WindowsIdentity.RunImpersonated終端機內嵌中介軟體Startup.ConfigureIf the app should perform an action on behalf of a user, use WindowsIdentity.RunImpersonated in a terminal inline middleware in Startup.Configure. 在此內容中執行單一動作,然後關閉 內容。Run a single action in this context and then close the context.

app.Run(async (context) =>
{
    try
    {
        var user = (WindowsIdentity)context.User.Identity;

        await context.Response
            .WriteAsync($"User: {user.Name}\tState: {user.ImpersonationLevel}\n");

        WindowsIdentity.RunImpersonated(user.AccessToken, () =>
        {
            var impersonatedUser = WindowsIdentity.GetCurrent();
            var message =
                $"User: {impersonatedUser.Name}\t" +
                $"State: {impersonatedUser.ImpersonationLevel}";

            var bytes = Encoding.UTF8.GetBytes(message);
            context.Response.Body.Write(bytes, 0, bytes.Length);
        });
    }
    catch (Exception e)
    {
        await context.Response.WriteAsync(e.ToString());
    }
});

RunImpersonated 不支援非同步作業,而不應該用於複雜的案例。RunImpersonated doesn't support asynchronous operations and shouldn't be used for complex scenarios. 比方說,包裝整個要求或中介軟體鏈結不支援或建議。For example, wrapping entire requests or middleware chains isn't supported or recommended.

雖然Microsoft.AspNetCore.Authentication.Negotiate套件會啟用 Windows 驗證,Windows 才支援 Linux 和 macOS 的模擬。While the Microsoft.AspNetCore.Authentication.Negotiate package enables authentication on Windows, Linux, and macOS, impersonation is only supported on Windows.

宣告轉換Claims transformations

當使用 IIS 時,裝載AuthenticateAsync不在內部呼叫以初始化使用者。When hosting with IIS, AuthenticateAsync isn't called internally to initialize a user. 因此,預設會在未啟動每個驗證之後,使用 IClaimsTransformation 實作來轉換宣告。Therefore, an IClaimsTransformation implementation used to transform claims after every authentication isn't activated by default. 如需宣告轉換就會啟動的程式碼範例和詳細資訊,請參閱ASP.NET Core 模組For more information and a code example that activates claims transformations, see ASP.NET Core 模組.

當 IIS 同處理序模式中,裝載AuthenticateAsync不在內部呼叫以初始化使用者。When hosting with IIS in-process mode, AuthenticateAsync isn't called internally to initialize a user. 因此,預設會在未啟動每個驗證之後,使用 IClaimsTransformation 實作來轉換宣告。Therefore, an IClaimsTransformation implementation used to transform claims after every authentication isn't activated by default. 如需裝載同處理序時,會啟用宣告轉換的程式碼範例和詳細資訊,請參閱ASP.NET Core 模組For more information and a code example that activates claims transformations when hosting in-process, see ASP.NET Core 模組.

其他資源Additional resources