WWW身份验证使用NTLM而不是Kerberos [英] WWW-Authenticate uses NTLM and not Kerberos

问题描述

我正在Windows Server 2008上运行NodeJS服务器.

I'm running a NodeJS server on a Windows Server 2008.

服务器并没有做很多事情，但是我为401设置了标题，WWW身份验证协商，我知道可以通过他的默认Kerberos身份验证来使用它，或者如果它不可用，则可以与NTLM一起使用.

The server doesn't do much but I set the header for 401, WWW-Authenticate Negotiation which I know can go either with his default Kerberos authentication or if it's not available then with NTLM.

我下载了提琴手，发现当我尝试访问服务器时，它尝试使用NTLM(提示我输入用户名和密码)而不是Kerberos进行身份验证，即使计算机与服务器位于同一域中，当我这样做时运行命令"klist"，这确实表明他具有令牌，这意味着他已经通过Kerberos进行了身份验证(不是吗?).

I downloaded fiddler and discovered that when I try to reach the server it tries to authenticate with NTLM(prompt me for username and password) rather than Kerberos, even though the computer is in the same domain as the server and when I do run the command "klist" it does show me that he has tokens which means that he already authenticated with Kerberos(doesn't it?).

我的问题是如何使它通过Kerberos而不是NTLM进行身份验证-为什么他首先要使用NTLM?

My question is how can I make it authenticate with Kerberos rather than NTLM - why does he go to NTLM in the first place?

有什么想法吗?

推荐答案

您的客户端可能无法获取该计算机的服务器票证.使用Wireshark并检查Kerberos TGS-REQ消息.请在SO中搜索类似的答案，在这种情况下我已经可以提供帮助.

You client is probably unable to obtain a server ticket for that machine. Use Wireshark and check for Kerberos TGS-REQ messages. Please search SO for my similar answers, I was already able to help in such situations.

这篇关于WWW身份验证使用NTLM而不是Kerberos的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！