火狐询问用户名/密码对IIS6启用了摘要式身份验证每个HTTP请求 [英] Firefox asks for username/password on every HTTP request with Digest Authentication enabled on IIS6
问题描述
我最近启用了摘要式身份验证在Intranet网站/应用我创造了我公司在ASP.NET。
我这样做的原因是因为Windows身份验证似乎只对部分用户,而不是为别人。我不明白,为什么我也不知道足够的IIS,试图追查问题。一些试验和错误之后,我发现,摘要式身份验证似乎给我我想要的行为。即:允许在域用户只能使用有效帐户登录到他们的证书的网站
现在的问题是,火狐(3+)似乎要求用户上发送到服务器每个HTTP请求进行认证。这不会出现在Internet Explorer(6+)或Chrome发生。
我试图寻找解决方案,但我总是在死角到达。我会找到一个有关这个问题的讨论,每贴溶液中通入一个死链接......或者这是对专家交流,我不有权查看到的解决方案。
这个问题似乎与(从我读过)的方式不同的浏览器发送的验证头VS如何IIS间$ P $其中pts他们。我不知道我能做些什么来改变这种关系吗?其中我发现写作提到一个ISAPI筛选器来解决这个问题的解决方案,当然,链接到成品过滤器坏了,我不知道如何去制作一个自己。
我试着在有关NTLM和其它验证相关的字符串搞乱:config来试图迫使火狐信任我的服务器,但似乎并没有任何工作
从我读过一些其他来源,似乎一切的应的工作,如果我切换回Windows身份验证,但后来我又回到了起点,其中认证将工作只为一些用户,而不是其他。
有一个对于任何一个问题的解决办法为我工作,但我对Windows身份验证问题的信息非常少。如果有人能指导我跟踪我会很高兴地发布的详细信息吧以及这个问题。
下面是我发现讨论哪些似乎是同样的问题的URL。 (抱歉,我不能让他们所有的链接,它不会让我张贴,否则)
- support.mozilla.com/tiki-view_forum_thread.php?locale=pt-BR&forumId=1&comments_parentId=346851
- www.experts-exchange.com/Software/Internet_Email/Web_Browsers/Mozilla/Q_24427378.html
- channel9.msdn.com/forums/TechOff/168006-Twin-bugs-in-IIS-IE-unfair-competitive-advantage-EDIT-SOLVED/
- www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2006-03/msg00141.html
这是在FF一个知道是不是BUG。 <一href=\"http://blogs.iis.net/sakyad/archive/2009/04/04/advanced-digest-authentication-works-from-internet-explorer-however-we-receive-multiple-authentication-prompts-on-each-get-request-from-fire-fox.aspx\">See高级摘要式身份验证从Internet Explorer但是工作我们收到来自火狐狸每个GET请求多个身份验证提示
IE 6有同样的潜力bug.A的解决方法是重新启用IIS6中的老文摘:
<一个href=\"http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1d6e22ac-0215-4d12-81e9-c9262c91b797.mspx?mfr=true\">http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1d6e22ac-0215-4d12-81e9-c9262c91b797.mspx?mfr=true
目前,如果服务器发送一个不透明的指令,IE客户端将在RFC指定返回这个指令值。不幸的是,后续从哪里现时计数增加客户端的请求(计数2外)不会发送不透明指导价值。这然后在服务器上认证失败,并返回401未授权。 IE客户端现在要求用户名和密码了新的挑战和文件检索。
这需要额外的往返,并会提示用户凭据每次。
的RFC规定不透明必须始终对来自客户端的请求被发送。
这是IE6使用不符合RFC摘要实现(http://www.ietf.org/rfc/rfc2617.txt)。结果
3.2.2授权请求报头
不透明和算法字段的值必须是那些提供
在实体WWW身份验证响应头被
请求。
3.3摘要操作
客户端应该记住用户名,密码,随机数,随机数计数和
与用来验证会话相关的不透明值
构造Authorization头在中将来的请求
保护空间。
由于客户端被要求返回不透明的值
指令给它由服务器在会话的持续时间,
不透明的数据可以被用来运送认证会话状态
信息。
--------编辑此外-----
Windows身份验证似乎只对部分用户,而不是为别人。
它是如何失败?你有没有启用模拟?
I've recently enabled Digest Authentication on an intranet website/application I am creating for my company in ASP.NET.
The reason I have done so is because Windows Authentication seemed to only work for some users, and not for others. I could not figure out why nor do I know enough about IIS to try and trace the issue. After some trial and error, I found that digest authentication seemed to give me the behaviour that I wanted. That is: allow only users with a valid account on the domain to log in to the website with their credentials.
The problem now, is that Firefox (3+) seems to ask for the user to authenticate on every HTTP request sent to the server. This does not appear to occur in Internet Explorer (6+) or Chrome.
I've tried searching for solutions but I always arrive at dead-ends. I'll find a discussion about the issue, and every posted solution leads to a dead link...or it's on Experts Exchange and I don't have access to view to solution.
The issue appears to be related (from what I've read) to the way the different browsers send their authentication headers vs how IIS interprets them. I'm not sure what I can do to change this though? One of the solutions I had found mentioned writing an ISAPI filter to fix this, but of course the link to the finished filter was broken and I have no idea how to go about making one myself.
I've tried messing with the NTLM and other auth related strings in about:config to try and force Firefox to trust my server but that doesn't seem to work either.
From a few other sources I've read, it appears that everything should work if I switch back to Windows Authentication, but then I'm back at square one where the authentication would work only for some users and not others.
A solution for either problem would work for me, but I have very little information for the Windows Authentication issue. If someone could guide me through tracing the problem I'd gladly post more information for it as well.
Here are the URLs I've found discussing what seems like the same problem. (Sorry I couldn't make them all links, it wouldn't let me post otherwise)
- support.mozilla.com/tiki-view_forum_thread.php?locale=pt-BR&forumId=1&comments_parentId=346851
- www.experts-exchange.com/Software/Internet_Email/Web_Browsers/Mozilla/Q_24427378.html
- channel9.msdn.com/forums/TechOff/168006-Twin-bugs-in-IIS-IE-unfair-competitive-advantage-EDIT-SOLVED/
- www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2006-03/msg00141.html
解决方案This is a know bug in FF. See Advanced digest authentication works from Internet Explorer however we receive multiple authentication prompts on each GET request from fire fox
IE 6 had the same bug.A potential workaround would be to re-enable "old" Digest in IIS6:
Currently, if the server send an opaque directive, the IE client will return this directive value as specified in the RFC. Unfortunately, for follow-on requests from the client where the nonce count is incremented (count 2 and beyond) the opaque directive value is not sent. This then fails authentication on the server and a 401 Unauthorized is returned. The IE client now requests the username and password for the new challenge and the file is retrieved.
This requires an additional round trip and the user is prompted for credential each time.
The RFC states that the opaque must always be sent on requests from the client. The Digest implementation that IE6 is using is not RFC compliant (http://www.ietf.org/rfc/rfc2617.txt).
3.2.2 The Authorization Request Header The values of the opaque and algorithm fields must be those supplied in the WWW-Authenticate response header for the entity being requested.3.3 Digest Operation A client should remember the username, password, nonce, nonce count and opaque values associated with an authentication session to use to construct the Authorization header in future requests within that protection space.
Because the client is required to return the value of the opaque directive given to it by the server for the duration of a session, the opaque data may be used to transport authentication session state information. -------- Edit addition -----
Windows Authentication seemed to only work for some users, and not for others. How did it fail? Did you enable impersonation?
这篇关于火狐询问用户名/密码对IIS6启用了摘要式身份验证每个HTTP请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
