使用 AzMan 作为服务帐户运行 IIS
由于 IP 原因,我需要有一个网站作为服务帐户运行,我还希望能够使用 AzMan 进行用户身份验证/身份验证。由于某种原因,我似乎无法让这些一起工作。我已经设置了一个示例应用程序来测试基本上可以吐出一些用户凭据的水域。除了 Azman 和设置的 Web 配置之外,该应用程序没有集成代码(没有日志记录/DB/Webserice 交互),它是一个寻呼机。
在网络服务帐户下运行应用程序池,匿名访问被拒绝,我得到:
Windows Identity Check - Name: 'NT AUTHORITY\NETWORK SERVICE'
Request.LogonUserIdentity.Name = 'CT\rhyc'
HttpContext.User.Identity.Name = 'CT\rhyc'
User.Identity.Name = 'CT\rhyc'
Is in UserRole = 'True'
..这一切都很好,一切正常,但是服务帐户是网络服务而不是我应该使用的服务帐户。 如果我将帐户切换到服务帐户,我会收到弹出窗口,要求提供用户凭据(我不想要,它应该是单点登录);但是我在之前的设置(ct/rhyc)中获得了这些凭据,
该网站运行了一个 setspn 命令(显然),但我真的不知道 spn 是做什么的,更不用说知道如何检查它。 另外,如果我允许匿名访问运行服务帐户的应用程序池,我会得到:
Windows Identity Check - Name: 'CT\SVC-PERAT2-T2DEV'
Request.LogonUserIdentity.Name = 'PERAT2NTAH3WD1\CVX_IUSR'
HttpContext.User.Identity.Name = ''
User.Identity.Name = ''
Is in UserRole = 'False'
抱歉,我是 IIS n00b,这通常不是我会做的事情,但是我们的管理员似乎对 IIS 不太了解,所以留给我了..:(
I have a requirement to have a website running as a service account for IP reasons, I also want to be able to use AzMan for Auth/Auth of the users. For some reason I can't seem to get these working together. I have set up a sample app to test the waters that basically spits out some user credentials. Other than Azman and the web config set up the app has no integration code (no logging/DB/Webserice interaction) it's a one pager.
Running the app pool under the network service account with the Anon access denied I get:
Windows Identity Check - Name: 'NT AUTHORITY\NETWORK SERVICE'
Request.LogonUserIdentity.Name = 'CT\rhyc'
HttpContext.User.Identity.Name = 'CT\rhyc'
User.Identity.Name = 'CT\rhyc'
Is in UserRole = 'True'
..which is all good, everything is working, however the service account is network service not the service account I am supposed to be using.
If I switch the account to the service account I get the pop up window asking for user credentials (which I don't want, it should be single sign on); however I was getting these credentials passed down in the previous set up (ct/rhyc)
There has been a setspn command run for the web site (apparently), but I don't really know what spn does, let alone know how to check it.
Also if I allow anon access with the app pool running the service account the I get:
Windows Identity Check - Name: 'CT\SVC-PERAT2-T2DEV'
Request.LogonUserIdentity.Name = 'PERAT2NTAH3WD1\CVX_IUSR'
HttpContext.User.Identity.Name = ''
User.Identity.Name = ''
Is in UserRole = 'False'
Sorry guys, I'm and IIS n00b, it is not normally something I would do, however our admins don't seem to know much about IIS so it's left to me.. :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
通过 SPN,您将进入 Kerberos 的世界。这通常是一个未知的领域。
有一份很棒的白皮书详细介绍了与此相关的安全问题:
http://www. microsoft.com/DOWNLOADS/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
它解释了如何打开更多日志记录以找到身份验证问题的根源。通常,这与 Exchange 中的委派未设置为传递用户凭据等有关。
更多信息请参见:
http://support.microsoft.com/kb/262177
with SPN you are getting into the World of Kerberos. This is typically an area of the unknown.
There is a great whitepaper that walks through troubleshooting security around this:
http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
It explains about how to turn on more logging to get to the root of the auth problem. Usually it is to do with delegation in Exchange not being setup to pass the credentials of a user on etc.
More here:
http://support.microsoft.com/kb/262177
好吧,看来我们找错了树。 Kerbros 从来都不是必需的,不知怎么的,它是如何从中国人的耳语中溜走的。我们已更改为 NTLM,一切都很好。
下面的cmd
cscript adsutil.vbs set w3svc/1152622725/root/NTAuthenticationProviders "NTLM"
其中 1152622725 是网站 id
感谢所有帮助人员,吸取的教训:不要用 kerbros 操,因为它会反噬!
OK so it looks like we were barking up the wrong tree. Kerbros was never required, some how it got slipped through chinese whispers. We have changed to just NTLM and all is well.
cmd below
cscript adsutil.vbs set w3svc/1152622725/root/NTAuthenticationProviders "NTLM"
where 1152622725 was the website id
Thanks for all the help guys, lesson learned: don't f__k with kerbros, because it bites back!