在IIS 8上运行应用程序时如何委派Windows身份验证会话? [英] How to delegate Windows Authentication session when running an app on IIS 8?

问题描述

我在ASP.Net MVC 5 Framework的顶部有一个用c#编写的Intranet应用程序.我的应用程序配置为通过"Windows身份验证"方法对用户进行身份验证.该应用程序在IIS 8上运行.

I have an intranet application written with c# on the top of ASP.Net MVC 5 Framework. My app is configured to authenticate users via "Windows Authentication" method. This app is running on IIS 8.

我的应用程序使用第三方SDK与我在同一域上运行的另一个程序进行交互.此第三方应用程序允许用户也通过提供的SDK使用Windows身份验证登录.

My app uses a third party SDK to interact with another program I have running on the same domain. This third party app allows the user to login using Windows Authentication also via the provided SDK.

问题

但是，与SDK通信的服务器始终返回无效的用户名/密码无效".

However the server where the SDK is communication with is always returning "Invalid user name/password is invalid".

经过深入的故障排除后，我发现IIS没有返回正确的用户名.而不是返回已验证的用户"，而是返回正在运行池应用程序的用户.因此，为解决此问题，我将应用程序设置更改为以下

After deep troubleshooting, I found out that IIS is not returning the correct username. Instead of returning the "Authenticated User" it is returning the user that is running the pool app. So, to fix this problem, I change the app settings to the following

• 我禁用了匿名身份验证"
• 我启用了"Windows身份验证"
• 当"ASP.NET模拟"设置设置为授权用户"时，我启用了"ASP.NET模拟".笔记: 这需要经典"托管管道而不是集成" 出于某些原因.
• 我将AppPool托管管道设置更改为经典" v4
• 将运行AppPool的用户更改为网络服务"，而不是"ApplicationPoolId"
• 然后将身份验证提供者"列表保留为协商"和"NTLM"
• 最后，我启用了内核模式身份验证".

• I disabled "Anonymous Authentication"
• I enabled "Windows Authentication"
• I enabled "ASP.NET Impersonation" while the "ASP.NET Impersonation" settings are set to "Authenticated user". Note: that this require "Classic" managed pipeline not "Integrated" for some reason.
• I change the AppPool managed pipeline setting to "Classic" v4
• Changed the user that is running the AppPool to "Network Service" instead of "ApplicationPoolId"
• Then kept the Authentication Providers list to "Negotiate" and "NTLM"
• Finally, I kept the "Kernal-mode authentication" enabled.

因此上述设置返回了正确的用户名，但是不是将密码委派给SDK的用户名吗?我想是由于通讯问题，IIS正在保护登录用户，并且不允许允许我将密码委派给另一个服务/SDK.

So the above settings returned the correct username, but is it not delegating the password to the SDK. I guess because of the communication hob, IIS is protecting the logged in user and it is not allowing me to delegate the password to another service/SDK.

所以我尝试将设置更改为以下内容

So then I tried to change my setup to the following

• 我将AppPool托管管道设置更改为集成" v4.0
• 将运行AppPool的用户更改为网络服务"
• 我禁用了匿名身份验证"
• 我启用了"Windows身份验证"
• 我已禁用"ASP.NET模拟"
• 身份验证提供程序列出"Negotiate:Kerberos"，"Negotiate"和"NTLM"
• 我禁用了内核模式身份验证"，因为它不适用于"Kerberos"提供程序.

• I change the AppPool managed pipeline setting to "Integrated" v4.0
• Changed the user that is running the AppPool to "Network Service"
• I disabled "Anonymous Authentication"
• I enabled "Windows Authentication"
• I disabled "ASP.NET Impersonation"
• The Authentication Providers list "Negotiate:Kerberos", "Negotiate" and "NTLM"
• I disabled "Kernal-mode authentication" as it won't work with "Kerberos" provider.

因此，以上内容使我无法完全登录我的MVC应用，它不断提示我输入认证.

So the above prevented me from logging into my MVC app altogether, It just keeps on prompting me for my credential over and over.

为解决此问题，我在域控制器中找到了我的Web服务器名称，然后转到委派"选项卡，将其更改为信任此用户以委派任何服务(仅Kerberos)"

To fix that, I located my web-server name in my domain controller, and I went to the "Delegation" tab and changed it to "Trust this user for delegation to any service (Kerberos only)"

没有此设置，允许我登录到我的MVC应用程序.但是这一次，它既没有将用户名也没有密码委派给SDK.实际上，我得到的用户名是PoolApp用户名，而不是经过身份验证的用户.

No this setup, allowed me to login into my MVC app. But this time, it is not delegating neither the username or the password to the SDK. In fact, the username that I get is the PoolApp username not the authenticated user.

要覆盖我的所有基础知识，我将AppPool用户更改为对Windows连接SDK的服务器具有Windows身份验证访问权限的实际用户.果然一切正常，我能够连接到第二项服务.但是，总是将运行AppPool的用户名/密码委派给SDK，而不是委派已连接/已认证的用户名/密码.

To cover all of my bases, I change the user that is AppPool to an actual user that has windows authentication access into the Server where the SDK is connecting to. Sure enough that worked just fine and I am able to connect to the second service. However, it is always delegating the username/password that is running the AppPool to the SDK instead of delegating the connected/authenticated username/password.

总而言之，由于某种原因，IIS并未将用户名/密码委派给SDK.如何让IIS将连接的用户会话/凭据委派给另一个服务?

In conclusion, IIS is not delegating the username/password to the SDK for some reason. How can I get IIS to delegate the connected user session/credential to another service?

由于用户使用的是"NTLM"身份验证而不是Kerberos，因此委派也有可能失败，但是服务器仅在仅Kerberos身份验证时才进行委派.使用"Kerberos"身份验证而不是"NTLM"?

It is also possible that the the delegation is failing because the users are using "NTLM" authentication instead of Kerberos, yet the server will only delegate when Kerberos authentication only" If this is the case, how can I force the user to use "Kerberos" authentication instead of "NTLM?

推荐答案

您是否尝试启用web.config中的nofollow noreferrer>假冒行为?

Have you tried to enable impersonation in your web.config?

<configuration>
    <system.web>
        <identity impersonate="true" />
    </system.web>
</configuration>

如果这不起作用，则可能需要在ActiveDirectory中启用此计算机的委派.看到这里: https://stackoverflow.com/a/1405666/5069465

If this doesn't work than you might need to enable delegation for this machine in your ActiveDirectory. See here: https://stackoverflow.com/a/1405666/5069465

这篇关于在IIS 8上运行应用程序时如何委派Windows身份验证会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！