如何使用客户的(远程)活动目录服务器对用户进行身份验证

问题描述

我们正在开发一个托管在我们网络上的网络应用程序，但客户希望我们与他们的(远程)活动目录同步".

We are developing a web application to be hosted on our network, but the client wishes us to 'sync' with their (remote) active directory.

基本上，他们希望使用他们的 AD 凭据登录我们的 Web 应用程序.

Basically, they would like to sign on to our web application using their AD credentials.

关键在于 Web 应用程序(我们的)和 AD 目录(他们的)位于两个完全**且断开连接的网络上.

The key point is that the web application (ours) and the AD directory (theirs) are on two totally separate and disconnected networks.

您推荐哪些工具和/或策略来提供此服务?

What tools and/or strategies do you recommend to provide this service?

我们的 Web 应用程序是 c#/IIS.

Our web application is c#/IIS.

推荐答案

此方案是 Windows Identity Foundation (WIF) 支持的主要方案之一，前提是它们可以将其 AD 公开为安全令牌服务 (STS).他们可以使用 ADFS 2 做到这一点.一般方法称为联合身份验证.WIF 与 ASP.Net 的集成非常好.

This scenario is one of the main scenarios supported by Windows Identity Foundation (WIF), provided they can expose their AD as a security token service (STS). They can do this using ADFS 2. The general approach is called identity federation. WIF integrates extremely well with ASP.Net.

网上有很多关于 WIF 和 ADFS 2 联合身份验证的文档.例如，试试 this 以及 WIF SDK 和 Visual Studio 工具的文档.

There is lots of documentation on the web about WIF and identity federation with ADFS 2. For example, try this and also the documentation for the WIF SDK and Visual Studio tools.