终端到终端的Kerberos在ASP.NET委派验证 [英] End-to-end kerberos delegated authentication in ASP.NET
问题描述
我想建立一个内部网站,将网络中代表用户的使用HttpWebRequest的联系另一个后端服务。
我要在ASP.NET应用程序中使用集成Windows身份验证的后端系统只支持这种类型的身份验证。
I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest. I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.
我能够设置IWA的ASP.NET应用程序,并且它使用Kerberos,因为我希望它。然而,当认证被委派到后端系统不工作了。这是因为后台系统只支持Kerberos IWA,但由于某些原因代表团 - 即使传入的请求Kerberos验证 - 转换认证forwaring到后端系统之前,NTLM
I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.
有谁知道我需要什么,以便允许它使用Kerberos转发身份的ASP.NET应用程序呢?
Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?
我试过以下,但它似乎并没有工作。
I've tried the following but it doesn't seem to work
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;
我也尝试设置的Kerberos它现在说协商,但它似乎并没有做太多。
I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.
推荐答案
在你的应用程序,你只需要使用的DefaultCredentials:
In your application, you only need to use DefaultCredentials:
request.UseDefaultCredentials = true;
然而,有一些工作要做上的Active Directory:
However, there is some work to do on Active Directory:
- 设置了一个SPN在你的应用程序池帐户为您的前端应用程序
- 设置了一个SPN在你的应用程序池帐户为您的后端应用程序
- 设置了代表团从第一个应用程序池第二SPN
这篇关于终端到终端的Kerberos在ASP.NET委派验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
