整合式 Windows 驗證Integrated Windows Authentication

藉由Mike Wassonby Mike Wasson

整合式的 Windows 驗證可讓使用者登入他們的 Windows 認證,使用 Kerberos 或 NTLM。Integrated Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. 用戶端會將認證傳送授權標頭中。The client sends credentials in the Authorization header. Windows 驗證是最適合用於內部網路環境。Windows authentication is best suited for an intranet environment. 如需詳細資訊,請參閱 Windows 驗證For more information, see Windows Authentication.

優點Advantages 缺點Disadvantages
-內建 IIS。- Built into IIS. -不會在要求中傳送的使用者認證。- Does not send the user credentials in the request. -如果用戶端電腦所屬網域 (例如,內部網路應用程式),使用者就不需要輸入認證。- If the client computer belongs to the domain (for example, intranet application), the user does not need to enter credentials. -不建議用於網際網路應用程式。- Not recommended for Internet applications. -需要 Kerberos 或 NTLM 的用戶端中的支援。- Requires Kerberos or NTLM support in the client. 用戶端必須位於 Active Directory 網域。- Client must be in the Active Directory domain.

Note

如果您的應用程式裝載在 Azure 上,而您有內部部署 Active Directory 網域,請考慮建立您的內部部署 AD 與 Azure Active Directory 同盟。If your application is hosted on Azure and you have an on-premise Active Directory domain, consider federating your on-premise AD with Azure Active Directory. 如此一來,使用者可以登入他們的內部部署認證,但由 Azure AD 執行驗證。That way, users can log in with their on-premise credentials, but the authentication is performed by Azure AD. 如需詳細資訊,請參閱 < Azure AuthenticationFor more information, see Azure Authentication.

若要建立使用整合式 Windows 驗證的應用程式,選取 [MVC 4 專案精靈] 中的 「 內部網路應用程式 」 範本。To create an application that uses Integrated Windows authentication, select the "Intranet Application" template in the MVC 4 project wizard. 這個專案範本會置於 Web.config 檔案中的下列設定:This project template puts the following setting in the Web.config file:

<system.web>
    <authentication mode="Windows" />
</system.web>

用戶端,在整合式 Windows 驗證可搭配任何支援的瀏覽器交涉驗證配置,其中包含大部分主要瀏覽器。On the client side, Integrated Windows authentication works with any browser that supports the Negotiate authentication scheme, which includes most major browsers. .NET 用戶端應用程式,如HttpClient類別支援 Windows 驗證:For .NET client applications, the HttpClient class supports Windows authentication:

HttpClientHandler handler = new HttpClientHandler()
{
    UseDefaultCredentials = true
};

HttpClient client = new HttpClient(handler);

Windows 驗證是容易遭受跨網站偽造要求 (CSRF) 攻擊。Windows authentication is vulnerable to cross-site request forgery (CSRF) attacks. 請參閱防止跨網站要求偽造 (CSRF) 攻擊See Preventing Cross-Site Request Forgery (CSRF) Attacks.