为什么Windows身份验证在本地到服务器上有效,但在服务器到服务器上无效? [英] Why is Windows Authentication working from local to server, but not server to server?
问题描述
我有两个站点,A和B. A使用了B公开的API,并且B需要Windows身份验证.这两个站点都位于域D中.
I have two sites, A and B. A consumes an API that B exposes, and B requires Windows authentication. Both sites live in Domain D.
API是通过HttpClient使用的,当站点A在本地运行时,在我的域帐户(位于域P中)下,将授予访问权限.在这种情况下,HttpClient的实例化如下:
The API is consumed via HttpClient, and when site A is run locally, under my domain account (which is in Domain P), access is granted. In this case, HttpClient is instantiated like so:
using(var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials: true }))
将A部署到测试服务器时,以上结果将导致401 Unauthorized响应.测试服务器上的应用程序池在域D中的服务帐户下运行.
When A is deployed to a testing server, the above results in a 401 Unauthorized response. The application pool on the testing server is running under a service account in domain D.
以这种方式明确使用该服务帐户时:
When explicitly using that service account like this:
var credential = new NetworkCredential("service-account", "password", "D");
var cache = new CredentialCache
{
{
new Uri(apiServerUri), "NTLM", credential
}
};
var handler = new HttpClientHandler
{
Credentials = cache
};
using(var client = new HttpClient(handler))
...
然后再次在本地运行站点A,仍然授予访问权限.当直接通过浏览器访问API并指定服务帐户凭据时,也会授予访问权限.日志表明它绝对是用于访问API的服务帐户.
And again running site A locally, access is still granted. Access is also granted when accessing the API directly via browser, and specifying the service account credentials. Logs indicate that it is definitely the service account being used to access the API.
将以上内容部署回测试服务器仍会导致401 Unauthorized.
Deploying the above back to the testing server still results in 401 Unauthorized.
将站点A部署到IIS的本地实例中,也成功使用了B的API.
Deploying site A to a local instance of IIS, also successfully consumes the API of B.
在本地运行站点B,然后在本地通过站点A访问它会导致401 Unauthorized.
Running site B locally, and then accessing it via site A locally, results in a 401 Unauthorized.
通过部署了A的测试服务器上的浏览器访问API,并指定服务帐户凭据,也会给出401 Unauthorized.
Accessing the API through a browser on the testing server where A is deployed, and specifying the service account credentials, also gives a 401 Unauthorized.
我不确定从这里去哪里-我是否在代码中缺少某些东西才能使它正常工作?还是可能是IIS或AD问题?
I'm not sure where to go from here - am I missing something in the code to get this working? Or is it likely to be an IIS or AD issue?
推荐答案
虽然我还不确定确切地为什么可以解决此问题,或者是否有更好的 这样做的方式(因为这很笨拙),当两者都位于同一服务器上时,以下内容允许A连接到B.
While I'm yet to determine exactly why this work around works, or if there is a better way of doing it (because this feels clunky), the following has allowed A to connect to B, when both are sitting on the same server.
站点B在IIS中具有附加的主机绑定设置,可以在localhost:12345上进行侦听.站点A已配置为连接到该端点,而不是站点B的域名.身份验证现在可以正常工作.
Site B has had an additional host binding setup in IIS, to listen on localhost:12345. Site A has been configured to connect to that endpoint, rather than the domain name for Site B. Authentication is now working correctly.
如果有人能解释为什么会这样-我不喜欢魔术"修复程序,我会很感兴趣.
I would be interested if anyone can explain why this is the case - I dislike 'magic' fixes.
修改 可能是此kb文章对于这种行为.具体来说:
edit It would seem that this kb article is a likely cause for this behavior. Specifically:
使用完全限定域名(FQDN)或自定义主机时 浏览本地计算机上托管的本地网站的标头 运行Microsoft Internet信息服务(IIS)5.1或更高版本 版本,您可能会收到类似于 以下:HTTP 401.1-未经授权:登录失败发生此问题 当网站使用集成身份验证并具有以下名称时 映射到本地环回地址
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address
和
因此,如果您使用的FQDN或自定义主机标头与本地计算机名称不匹配,则身份验证将失败.
Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
在这些服务器上并不是真正的注册表修改选项,因此看来变通方法就是我们将要使用的解决方法.
Registry modifications aren't really an option on these servers, so looks like the work around is what we will be using.
这篇关于为什么Windows身份验证在本地到服务器上有效,但在服务器到服务器上无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
