IIS 7 中的 Kerberos 身份验证
我们有一些使用集成 Windows 身份验证在虚拟目录中设置的 Web 内容。虚拟目录在使用自定义标识(自定义用户帐户)的应用程序池下运行。问题是 NTLM 身份验证有效,但 Kerberos 身份验证无效。这与在 IIS 6 下工作的配置相同,但我们需要迁移到 IIS 7 并且 Kerberos 身份验证不起作用。
以下是有关我的环境的更多信息:
虚拟目录身份验证设置:
- 除 Windows 身份验证之外的所有内容均已
- 禁用 启用内核模式身份验证:已启用
应用程序池设置:
- 托管管道模式:经典
- 身份:自定义本地用户
Web.config 设置:
- 身份验证模式 = “Windows “
- system.serviceModel/bindings/basicHttpBinding/binding/security/mode = TransportCredentialOnly
- system.serviceModel/bindings/basicHttpBinding/binding/security/transport/clientCredentailType = Windows
- serviceHostingEnvironment/aspNetCompatibilityEnabled = true
虚拟目录权限:
- 自定义本地组:我们添加域用户到本地组以访问服务
操作系统设置:
- IIS 7
- Windows Server 2008 x64 标准 SP2
以下是我从 fiddler 比较 IIS 6 和 IIS 7 得到的分析。Kerberos 身份验证在 IIS 6 中运行良好,并且应用程序池运行在自定义身份。
参考(IIS 6)(有效):
Fiddler:(
使用域\用户)
请求1(无身份验证)
No Proxy-Authorization Header is present.
No Authorization Header is present.
响应1(401)(挑战)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
请求2(Kerberos票证)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
响应2(401)(Kerberos回复)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
请求3(Kerberos)票证)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
响应 3 (401)(Kerberos 回复)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
请求 4(Kerberos 票证)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
响应 4 (200)(Kerberos 回复)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
事务完成,浏览器显示该页面。
(IIS 7) (不起作用):
Fiddler:
(使用域\用户)
请求 1 (无身份验证)
No Proxy-Authorization Header is present.
No Authorization Header is present.
响应 1 (401) (协商)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
请求 2 (Kerberos 票证)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
响应 2 (401) (协商)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
请注意 IIS 7 在响应 2 中不接受我的 Kerberos 票证。知道为什么不吗?我是否需要重新配置 IIS 7 中的某些内容才能使 Kerberos 身份验证正常工作?
We have some web content that is setup in virtual directories using integrated windows authentication. The virtual directories are running under application pools that are using a custom identity (custom user account). The problem is that NTLM authentication works however Kerberos authentication does not. This is the same configuration that worked under IIS 6 but we need to migrate to IIS 7 and Kerberos authentication isn't working.
Here's some more information about my environment:
Virtual Directory Authentication Settings:
- Everything disabled except for Windows Authentication
- Enable kernel-mode authentication: enabled
App Pool Settings:
- Managed Pipeline Mode: Classic
- Identity: Custom local user
Web.config Settings:
- authentication mode = "Windows"
- system.serviceModel/bindings/basicHttpBinding/binding/security/mode = TransportCredentialOnly
- system.serviceModel/bindings/basicHttpBinding/binding/security/transport/clientCredentailType = Windows
- serviceHostingEnvironment/aspNetCompatibilityEnabled = true
Virtual Directory Permissions:
- Custom local groups: We add domain users to the local groups for access to the service
OS settings:
- IIS 7
- Windows Server 2008 x64 standard SP2
Here is the analysis I get from fiddler comparing IIS 6 to IIS 7. Kerberos authentication is working fine in IIS 6 with a app pool running with a custom identity.
Reference (IIS 6) (Works):
Fiddler:
(Using domain\user)
Request 1 (no auth)
No Proxy-Authorization Header is present.
No Authorization Header is present.
Response 1 (401) (challenge)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Request 2 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 2 (401) (Kerberos reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
Request 3 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 3 (401) (Kerberos reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
Request 4 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 4 (200) (Kerberos Reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
And the transaction completes and the browser displays the page.
(IIS 7) (Doesn't Work):
Fiddler:
(Using domain\user)
Request 1 (no auth)
No Proxy-Authorization Header is present.
No Authorization Header is present.
Response 1 (401) ( Negotiate)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Request 2 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 2 (401) (Negotiate)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Notice that IIS 7 isn't accepting my Kerberos ticket in Response 2. Any idea why not? Do I need to reconfigure some stuff in IIS 7 to get Kerberos authentication to work?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
解决方案
为了让 IIS 7 像 IIS 6 一样协商身份验证,我必须将 applicationHost.config 文件中虚拟目录的 windowsAuthentication 元素的 useAppPoolCredentials 设置为 true。这是通过执行以下任一命令来完成的:
要应用于单个应用程序:
首先解锁:
然后应用:
注意 - 这实际上不会使 Kerberos 工作。它的作用是使 IIS 7 的行为类似于 IIS 6。这意味着如果服务器和客户端之间的 Kerberos 协商失败,则服务器会自动回退到 NTLM。这实际上是使身份验证对我有用的东西(NTLM)。
RESOLUTION
In order for me to get IIS 7 to negotiate authentication as IIS 6 does I had to set the useAppPoolCredentials of the windowsAuthentication element of my virtual directory in the applicationHost.config file to true. This is done doing either one of these commands:
To apply to individual applications:
First unlock :
Then apply:
NOTE - This actually doesn't make Kerberos work. What it does it make IIS 7 behave like IIS 6. What this means is that if Kerberos negotiation between the server and client fails then the server automatically falls back to NTLM. This is actually the thing that made authentication work for me (NTLM).
您是否使用 Negotiate:Kerberos 提供程序进行 Windows 身份验证?如果 Kerberos 存在问题,您可以通过运行 网络监视器(或类似的东西,例如WireShark) 在客户端上,同时尝试进行身份验证。查看 Internet Explorer 进程中的消息,您也许能够看到一些 Kerberos 活动。
Are you using the Negotiate:Kerberos provider for Windows Authentication? If there is a problem around Kerberos, you might be able to get more details on the problem by running Network Monitor (or something similar like WireShark) on the client, while trying to authenticate. Look at the messages in the Internet Explorer process and you may be able to see some Kerberos goings-on.