如何解决在Kerberos双跃点问题? [英] How can I fix the Kerberos double-hop issue?
问题描述
我有一些麻烦,从Web应用程序内调用Web服务,我希望有人在这里也许能提供帮助。从我可以告诉,这的看起来的有事可做与Kerberos <一个href=\"http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx\">double-hop发行。但是,如果是这样,我不知道该怎么做真正解决问题。为了使事情变得更难,我没有适当的权限来修改Active Directory帐户,所以我需要知道要问什么要求更改时。在我的情况,我需要通过从Web应用程序的凭据(集成Windows身份验证)到后端的Web服务,使Web服务的正确的用户上下文中运行。
I'm having some trouble calling a web service from within a web application and I was hoping someone here might be able to help. From what I can tell, this seems to have something to do with the Kerberos double-hop issue. However, if it is, I'm not sure what to do to actually fix the problem. To make things harder, I don't have the proper permissions to make changes to Active Directory accounts, so I need to know what to ask for when requesting changes. In my situation, I need to pass the credentials (Integrated Windows Authentication) from a web application onto a backend web service so that the web service runs under the proper user context.
下面是我确切的问题:
这工作
这不起作用
的仅的工作方案,并在非工作方案之间的区别就是工作方案正在运行在本地主机上的应用程序(无论是开发人员的电脑或有问题的服务器上)和非工作的例子是另一台机器上运行。这两种情况之间的code是完全一样的。
The only difference between the working scenario and the non-working scenario is that the working scenario is running the application on localhost (whether a developer's PC or on the server in question) and the non-working example is running on another machine. The code between both scenarios is exactly the same.
我已经试过
- 添加一个SPN运行该应用程序池每个服务器的域帐户
SETSPN -A HTTP / server1的域\\帐户 - 模拟的不同方法
- 拆卸模拟code
使用(...)和执行Web服务调用的应用程序池帐户。这正常工作。
- Adding an SPN to the domain account that runs the app pool for each server
setspn -a http/server1 DOMAIN\account - Different methods of impersonation
- Removing the impersonation code
using(...)and executing the web service call as the app pool account. This works as expected.
有没有人有什么我也许能为解决这个问题做任何想法?
Does anyone have any idea on what I might be able to do in order to fix this problem?
推荐答案
中间断绝必须被信任作为委派。否则,没有证书的人将被委派和中间服务器无法模拟原始客户端。
The intermediate sever must be trusted for delegation. Otherwise no credential will be delegated and the intermediate server cannot impersonate the original client.
这篇关于如何解决在Kerberos双跃点问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
