无法通过本地 IIS 获得 Windows 身份验证 [英] Unable to get windows authentication to work through local IIS

问题描述

所以我使用 Intranet 模板创建了一个新的 ASP.NET MVC 项目.web.config 包含适当的值(例如 ).

如果我使用 VS 网络服务器启动网络应用程序，一切看起来都很好 - 该页面显示了我的 Windows 域和用户名等等.但是，这在 Opera 和 Safari 以及 IE 和 FF 中都有效，这对我说它根本不使用 Windows 身份验证(据我所知，这在除 IE/FF 之外的任何浏览器中都不起作用).

下一步是让它通过本地 IIS 工作.我创建了一个将 www.mysite.mydomain 指向 127.0.0.1 的主机文件条目.因此，在 IIS 中，我创建了绑定到 www.mysite.mydomain 的网站，并启用 Windows 身份验证并禁用匿名身份验证.

我已设置 IE 和 FF 以启用 Windows 身份验证，如下所示:

IE

1. 将 URL 添加到 Intranet 组
2. 确保在高级设置中启用 Windows 身份验证

FF

将www.mysite.mydomain"放入 network.automatic-ntlm-auth.trusted-uris 配置设置中.

但是当我在 IE/FF 中拨打 www.mysite.mydomain 时，我会收到登录提示.有趣的是，即使我在此处输入 Windows 登录信息，它仍然失败并再次显示登录提示.

我们这里没有活动目录，但我的理解是它应该适用于本地帐户.

我想不出还有什么我需要做的.有什么建议吗?

我们最近改用 Active Directory，但问题仍然存在.

当我取消登录提示时，我被带到一个IIS 7.5 详细错误"页面，其中包含以下信息:

<块引用>

HTTP 错误 401.2 - 未经授权由于身份验证标头无效，您无权查看此页面.**

解决方案

您必须将主机文件中指定的域列入白名单，才能使 Windows 身份验证正常工作:

1. 单击开始，单击运行，键入 regedit，然后单击确定.
2. 在注册表编辑器中，找到以下注册表项:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
3. 右键单击参数，单击新建，然后单击 DWORD(32 位)值.
4. 输入 DisableStrictNameChecking 并按 ENTER.
5. 双击DisableStrictNameChecking 注册表值并在数值数据框中键入 1，然后单击确定
6. 在注册表编辑器中，找到并单击以下注册表项:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
7. 右键单击 MSV1_0，指向新建，然后单击多字符串值.
8. 键入 BackConnectionHostNames，然后按 ENTER.
9. 右键单击BackConnectionHostNames，然后单击修改.
10. 在数值数据框中，键入本地计算机上站点的主机名或主机名，然后单击确定.
11. 退出注册表编辑器，然后重新启动 IISAdmin 服务.

注意:此答案上的原始 Microsoft KB 链接已损坏并已删除.本文提供了设置 DisableStrictNameChecking 的说明.

So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).

If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).

Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.

I have set up IE and FF to enable Windows auth as follows:

IE

1. Add URL to intranet group
2. Ensure Windows auth is enabled in the advanced settings

FF

Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.

But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.

We don't have active directory here but my understanding is that it should work fine with a local account.

I can't think of anything else I need to do. Any suggestions?

Edit: we've recently switched to using Active Directory and the problem remains.

Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:

HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.**

解决方案

You have to whitelist a domain specified in the hosts file in order for windows authentication to work:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.
4. Type DisableStrictNameChecking and press ENTER.
5. Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
6. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
7. Right-click MSV1_0, point to New, and then click Multi-String Value.
8. Type BackConnectionHostNames, and then press ENTER.
9. Right-click BackConnectionHostNames, and then click Modify.
10. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
11. Quit Registry Editor, and then restart the IISAdmin service.

NOTE: The original Microsoft KB links on this answer were broken and have been removed. This article provided the instructions for setting DisableStrictNameChecking.

这篇关于无法通过本地 IIS 获得 Windows 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！