本地帐户需要什么权限才能允许 IIS 使用 Kerberos?
我有一个在 IIS7 上运行的网站。应用程序池在本地计算机帐户下运行。我们正在使用 Windows 身份验证来对用户进行身份验证,但这失败了,因为本地帐户似乎没有权限向域控制器发出 Kerberos 请求,因为事件日志似乎表明:
帐户已成功登录。
主题: 安全 ID:NULL SID
帐户名称:-
帐户域:-
登录 ID:0x0
登录类型:3
新登录:
Security ID: MyDomain\mark
Account Name: Mark
Account Domain: MyDomain
Logon ID: 0x2ed3554
Logon GUID: {4a4f0c3f-2232-c2d9-9868-3a020042810f}
如果我使用帐户网络服务、本地服务或本地系统然后一切正常。那么,我需要什么额外的权限来授予我的本地计算机帐户,以便它可以支持使用 Kerberos 的 Windows 身份验证?
感谢!
I have a site running on IIS7. The application pool is running under a local machine account. We are using Windows Authentication to authenticate users but this is failing because the local account does not seem to have permission to make the Kerberos request to the domain controller as the event log seems to indicate:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: MyDomain\mark
Account Name: Mark
Account Domain: MyDomain
Logon ID: 0x2ed3554
Logon GUID: {4a4f0c3f-2232-c2d9-9868-3a020042810f}
If I use the accounts Network Service, Local Service or Local System then all works fine. So what additional permission do I need to grant my local machine account so that it can support Windows Authentication with Kerberos?
Thank!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
经过更多研究后,我认为基本上使用带有 Kerberos 的本地计算机帐户是一个有缺陷的想法。似乎没有办法将本地帐户添加到AD中,那么它如何与域控制器通信呢?因此,我选择在本地帐户下运行的站点上禁用 Kerberos:
希望这对某人有帮助。
After some more research I think basically it is a flawed idea using a local machine account with Kerberos. There doesn't seem to be a way to add the local account into AD so how could it communicate with the domain controller? Therefore, I opted for disabling Kerberos on sites running under a local account:
Hope this helps someone.