无法通过本地 IIS 进行 Windows 身份验证
因此,我使用 Intranet 模板创建了一个新的 ASP.NET MVC 项目。 web.config 包含适当的值(例如
如果我使用 VS Web 服务器启动 Web 应用程序,一切看起来都很好 - 页面显示我的 Windows 域和用户名等等。然而,这在 Opera 和 Safari 以及 IE 和 FF 中都有效,这对我来说它根本不使用 Windows 身份验证(因为据我所知,这在除 IE/FF 之外的任何浏览器中都不起作用)。
下一步是让它通过本地 IIS 运行。我创建一个主机文件条目,将 www.mysite.mydomain 指向 127.0.0.1。因此,在 IIS 中,我创建了绑定到 www.mysite.mydomain 的网站,并启用 Windows 身份验证并禁用匿名身份验证。
我已设置 IE 和 FF 以启用 Windows 身份验证,如下所示:
IE
- 将 URL 添加到 Intranet 组
- 确保在高级设置中启用 Windows 身份验证
FF
将 'www.mysite. mydomain' 进入 network.automatic-ntlm-auth.trusted-uris 配置设置。
但是当我在 IE / FF 中拨号 www.mysite.mydomain 时,我收到登录提示。有趣的是,即使我在此处输入 Windows 登录信息,它仍然失败并再次显示登录提示。
我们这里没有活动目录,但我的理解是它应该可以与本地帐户一起正常工作。
我想不出还有什么我需要做的。有什么建议吗?
编辑:我们最近改用 Active Directory,但问题仍然存在。
编辑:当我取消登录提示时,我会进入“IIS 7.5 详细错误”页面,其中包含以下信息:
HTTP 错误 401.2 - 未经授权 由于身份验证标头无效,您无权查看此页面。**
So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
I have set up IE and FF to enable Windows auth as follows:
IE
- Add URL to intranet group
- Ensure Windows auth is enabled in the advanced settings
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
We don't have active directory here but my understanding is that it should work fine with a local account.
I can't think of anything else I need to do. Any suggestions?
Edit: we've recently switched to using Active Directory and the problem remains.
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.**
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
您必须将主机文件中指定的域列入白名单,Windows 身份验证才能正常工作:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersDisableStrictNameChecking并按 Enter。DisableStrictNameChecking注册表值,然后在“值数据”框中键入 1,单击“确定”。HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0BackConnectionHostNames,然后单击“修改”。笔记:
此答案的原始 Microsoft 知识库链接已损坏并已被删除。
本文提供了设置DisableStrictNameChecking的说明。
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersDisableStrictNameCheckingand press ENTER.DisableStrictNameCheckingregistry value and type 1 in the Value data box, click OKHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0BackConnectionHostNames, and then press ENTER.BackConnectionHostNames, and then click Modify.NOTE:
The original Microsoft KB links on this answer were broken and have been removed.
This article provided the instructions for setting DisableStrictNameChecking.
我最近花了三天时间试图解决同样的问题,这让我发疯。这是在负载平衡设置上发生的,其中一台服务器正确进行身份验证,而另一台服务器失败。调查问题 - 并最终解决它 - 结果发现它与负载平衡环境无关,使用 Windows 身份验证进行身份验证时任何服务器都可能发生这种情况,并且使用 Active Directory 无法识别的名称调用服务器
<强>1。启用 Kerberos 日志记录
要正确诊断您的问题,您需要在托管 IIS 站点的计算机上启用 Kerberos 日志记录。为此,请添加以下注册表项:
打开日志记录后,当您尝试进行身份验证时,您将在 Windows 应用程序日志中看到错误记录。您可以忽略错误KDC_ERR_PREAUTH_REQUIRED(这只是握手的一部分),但如果您收到错误KDC_ERR_C_PRINCIPAL_UNKNOWN,则意味着您的AD控制器无法识别您的服务器,因此您需要请按照以下步骤操作。
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
如果您收到 KDC_ERR_C_PRINCIPAL_UNKNOWN,则意味着名称“mysite.mydomain.com”与 AD 识别您计算机的方式不同,因此无法提供有效的 kerberos 票证。在这种情况下,您需要在 AD 上为“'www.mysite.mydomain”注册服务主体名称 (SPN)。
在您的 AD 控制器上,运行此命令 - 您将需要域管理员权限:
3。为您的应用程序池使用自定义身份
最后,让您的应用程序池使用属于 Active Directory 的自定义帐户,而不是使用 NetworkService。这可以在应用程序池的高级设置中完成。
和..瞧。
注意:该问题可能(不太可能)与将多个 SPN 注册到同一台计算机有关,在这种情况下,您将需要运行命令来删除重复的 SPN,但我怀疑情况确实如此。还可以尝试向您的站点添加不同的绑定(不使用自定义名称),例如 htttp://localhost:custom_port_number 并查看身份验证是否有效。如果有效,则进一步表明您遇到了与我相同的问题。
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
1. Enable Kerberos logging
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED (this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWN that means your AD controller doesn't recognize your server therefore you need to follow the steps below.
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
On your AD controller, run this command - you will need Domain Admin privilege:
3. Use a custom identity for your Application pool
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
and .. voila.
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
您是否尝试将域名放在用户名前面?
如果您没有域帐户,请尝试在您的用户名前面加上计算机名称前缀:
Did you try putting the domain in front of the user name?
If you don't have a domain account, try prefixing your username with the machine name:
您应该检查是否安装/启用了 Windows 身份验证。这可能听起来很奇怪,但在 IIS 7 中,您必须安装并启用各种身份验证方法。请查看 http://support.microsoft.com/kb/942043/ 了解更多信息,请参阅下面引用的部分。
原始
通常,当您尝试查看 IIS 上托管的 asp.net 网页并收到登录提示时,这并不意味着未收到您的凭据或您未通过身份验证。这意味着您的网站运行所用的帐户没有处理这些文件的正确权限。
在 IIS 6 和 7 中,您可以轻松更改运行应用程序池的用户帐户。尝试将应用程序池身份更改为专门为此设计的具有更多访问权限的帐户。或者,如果您想继续使用现有帐户(IUSR_?网络服务?),您可以授予该帐户对存储网站的目录的更多权限。
本文专门针对 BizTalk,但几乎没有提及它,而是重点介绍 IIS 和应用程序池的权限问题故障排除:
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/ for more info, see quoted section below.
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
为什么选择本地 IIS?您可以使用本地 IIS Express 吗?
如果是这样,请尝试这个。看来 IIS Express 默认情况下将 Windows 身份验证设置为 false。
在 applicationhost.config 文件(在“C:\Users[Profile]\Documents\IISExpress\config”文件夹下)中更改
为“true”。这对我有用。
Why local IIS? Can you use local IIS Express?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
Change
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
为了确保IIS使用Windows身份验证,我认为您应该尝试关闭其他身份验证方法。如果启用匿名身份验证,Windows 身份验证将不起作用。您还可以阅读这篇 Microsoft 支持文章,其中详细介绍了 IE 和 IIS 要求。
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details.
当我启用 Windows 身份验证时,我收到此错误。我想根据 Windows 登录授权用户,但我的应用程序中没有登录页面。
我通过在我的
Web config文件中添加以下内容来修复错误。在标签
system.web下,我将authentication mode="None"更改为身份验证模式=“表单”。在标签
appSettings下,我添加了add key="owin:AutomaticAppStartup" value="false"I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
I got the error fixed by adding the below in my
Web configfile.Under the tag
system.web, I changedauthentication mode="None"toauthentication mode="Forms".Under the tag
appSettings, I addedadd key="owin:AutomaticAppStartup" value="false"阅读 Espen Burud 的答案后,我通过更改根目录的 web.config 解决了我的问题:
需要 Windows 身份验证的页面不在根目录中,而是在
具有自己的 web.config 的子目录中,并使用
deny用户?但这并没有使 Windows 身份验证正常工作。显然,您需要拒绝根目录中的用户才能正常工作。IIS 配置启用了匿名身份验证;那没关系。对 web.config 进行上述更改后,Windows 身份验证起作用了。
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
to
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with
deny users ?but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
对于 Dot Net Core 2.2 并在 IIS 上运行,当我在应用程序中检查“启用 Windows 身份验证”时,我遇到了 401.2 未经授权的问题。这是一个非常简单的测试网站,基本上什么都不做,只是尝试让 Windows 身份验证正常工作。我终于获得了可以工作的身份验证,这就是您需要的:
在启动配置服务中:
打开应用程序的属性,单击左侧的“调试”选项,并确保选中“启用 Windows 身份验证”。
但我忘记了一个关键点... 将您的系统配置为在 IIS 上安装 Windows 身份验证。我的机器上从来没有设置过这个,无论我做什么,我总是会收到 401 未经授权的错误。安装此软件(Win 10,IIS v10.0.18362.1)后,我现在收到登录提示。这并不完全是我目前所需要的,但至少它不是未经授权的错误。祝你好运,希望这会有所帮助。
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
Within Startup ConfigureServices:
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.