如何解决 Kerberos 双跳问题? [英] How can I fix the Kerberos double-hop issue?
问题描述
我在从 Web 应用程序内部调用 Web 服务时遇到了一些问题,我希望这里有人能够提供帮助.据我所知,这似乎与 Kerberos 双跳问题.但是,如果是这样,我不确定该怎么做才能真正解决问题.更麻烦的是,我没有对 Active Directory 帐户进行更改的适当权限,因此我需要知道在请求更改时要求什么.在我的情况下,我需要将凭据(集成 Windows 身份验证)从 Web 应用程序传递到后端 Web 服务,以便 Web 服务在正确的用户上下文下运行.
I'm having some trouble calling a web service from within a web application and I was hoping someone here might be able to help. From what I can tell, this seems to have something to do with the Kerberos double-hop issue. However, if it is, I'm not sure what to do to actually fix the problem. To make things harder, I don't have the proper permissions to make changes to Active Directory accounts, so I need to know what to ask for when requesting changes. In my situation, I need to pass the credentials (Integrated Windows Authentication) from a web application onto a backend web service so that the web service runs under the proper user context.
这是我的确切问题:
这有效
这不起作用
工作场景和非工作场景之间的唯一区别在于工作场景是在本地主机(无论是开发人员的 PC 还是相关服务器上)上运行应用程序,而非工作场景是在本地主机上运行应用程序.工作示例正在另一台机器上运行.两个场景的代码完全一样.
The only difference between the working scenario and the non-working scenario is that the working scenario is running the application on localhost (whether a developer's PC or on the server in question) and the non-working example is running on another machine. The code between both scenarios is exactly the same.
我的尝试
- 为每个服务器运行应用程序池的域帐户添加一个 SPN
setspn -a http/server1 DOMAINaccount - 不同的冒充方法
- 删除模拟代码
using(...)并作为应用程序池帐户执行网络服务调用.这按预期工作.
- Adding an SPN to the domain account that runs the app pool for each server
setspn -a http/server1 DOMAINaccount - Different methods of impersonation
- Removing the impersonation code
using(...)and executing the web service call as the app pool account. This works as expected.
有没有人知道我可以做些什么来解决这个问题?
Does anyone have any idea on what I might be able to do in order to fix this problem?
推荐答案
必须信任中间服务器才能进行委派.否则将不会委派任何凭据,并且中间服务器无法模拟原始客户端.
The intermediate server must be trusted for delegation. Otherwise no credential will be delegated and the intermediate server cannot impersonate the original client.
这篇关于如何解决 Kerberos 双跳问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
