Windows身份验证在IISExpress中有效,但在IIS中不起作用 [英] Windows Authentication works in IISExpress but not in IIS
问题描述
我有一个奇怪的问题。我正在使用Visual Studio 2013中的最新MVC5。我试图创建一个站点,该站点承载匿名API以及需要通过Windows身份验证的Intranet域凭据的管理控制台。通过IIS Express运行时,所有内容都可以像我期望的那样运行,但是在真实IIS中运行时却不能。
I am having an odd issue. I am using the newest MVC5 in Visual Studio 2013. I am trying to create a site that hosts an anonymous API as well as an Admin dashboard that requires intranet domain credentials through Windows Authentication. Everything works when running through IIS Express like I expect but not when hosted in real IIS.
在真实IIS中运行时,它会给我一个登录框,就像我期望的Admin部分,但它不需要我的登录,并不断提示我。我知道这肯定是正确的用户名和密码。知道为什么会这样吗?
When hosted in real IIS it gives me a logon box like I expect for the Admin portion but it doesn't take my logon and keeps prompting me. I know it is the right username and password for sure. Any idea why this is happening?
我在Windows功能中安装了Windows身份验证,并在IIS中为该站点打开了所有功能。
I have Windows Authentication installed in Windows Features and turned on in IIS for the site and all that.
下面是我的设置。.
[Authorize]
public class DashboardController : Controller
<add key="EnableSimpleMembership" value="false" />
<authentication mode="Windows"/>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<location path="gsapi">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
推荐答案
有一项安全功能可尝试拦截服务器上的反射攻击。这些攻击基本上是中间人攻击,攻击者对尝试进行身份验证的两个参与系统执行挑战-响应协议。
There is a security feature that tries to intercept reflection attacks on your server. These attacks are basically a "man in the middle" attack where the attacker performs a challenge-response protocol to the two participating systems who are attempting to authenticate.
当您的服务器时使用映射到回送地址的主机名,试图保护您免受这些攻击的安全功能无法区分欺诈请求的合法身份。症状是所有挑战响应尝试都将失败。
When your server is using host names mapped to the loopback address, the security feature that is trying to protect you against these attacks is not able to tell legitimate requests from fraudulent ones. The symptom is that all challenge response attempts will fail.
您的选择是在注册表中指定主机名,或禁用环回检查(不建议)。
Your choices are to specify host names in your registry, or to disable the loopback check (not recommended).
注释中链接的知识库文章提供了针对此问题进行哪些更改的具体说明:
http://support.microsoft.com/kb/896861
The KB article that was linked in the comments gives specific instructions on what changes to make to work around this problem: http://support.microsoft.com/kb/896861
这篇关于Windows身份验证在IISExpress中有效,但在IIS中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
