在 IIS 8 上运行应用程序时如何委派 Windows 身份验证会话? [英] How to delegate Windows Authentication session when running an app on IIS 8?

问题描述

我在 ASP.Net MVC 5 Framework 的顶部有一个用 c# 编写的 Intranet 应用程序.我的应用程序配置为通过Windows 身份验证"方法对用户进行身份验证.此应用在 IIS 8 上运行.

我的应用程序使用第三方 SDK 与我在同一域上运行的另一个程序进行交互.此第三方应用允许用户也通过提供的 SDK 使用 Windows 身份验证登录.

问题

但是与 SDK 通信的服务器总是返回无效的用户名/密码无效".

经过深入故障排除后，我发现 IIS 没有返回正确的用户名.它没有返回经过身份验证的用户"，而是返回运行池应用程序的用户.因此，为了解决这个问题，我将应用设置更改为以下内容

• 我禁用了匿名身份验证"
• 我启用了Windows 身份验证"
• 我启用了ASP.NET Impersonation"，而ASP.NET Impersonation"设置被设置为Authenticated user".笔记:这需要经典"管理管道而不是集成"一些原因.
• 我将 AppPool 托管管道设置更改为经典"v4
• 将运行 AppPool 的用户更改为网络服务"而不是ApplicationPoolId"
• 然后将身份验证提供程序列表保留为协商"和NTLM"
• 最后，我启用了内核模式身份验证".

所以上面的设置返回了正确的用户名，但它是否没有将密码委托给 SDK.我猜是因为通信滚刀，IIS 正在保护登录用户，它不允许允许我将密码委托给另一个服务/SDK.

然后我尝试将设置更改为以下内容

• 我将 AppPool 托管管道设置更改为集成"v4.0
• 将运行 AppPool 的用户更改为网络服务"
• 我禁用了匿名身份验证"
• 我启用了Windows 身份验证"
• 我禁用ASP.NET 模拟"
• 身份验证提供程序列出Negotiate:Kerberos"、Negotiate"和NTLM"
• 我禁用了内核模式身份验证"，因为它不适用于Kerberos"提供程序.

因此，上述内容完全阻止了我登录到我的 MVC 应用程序，它只是一遍又一遍地提示我输入凭据.

为了解决这个问题，我在域控制器中找到了我的网络服务器名称，然后转到委派"选项卡并将其更改为信任此用户以委派任何服务(仅限 Kerberos)"

没有这个设置，允许我登录到我的 MVC 应用程序.但这一次，它没有将用户名或密码委托给 SDK.实际上，我得到的用户名是 PoolApp 用户名，而不是经过身份验证的用户.

为了涵盖我的所有基础，我将 AppPool 用户更改为具有 Windows 身份验证访问 SDK 连接到的服务器的实际用户.果然，效果很好，我能够连接到第二个服务.但是，它总是将运行 AppPool 的用户名/密码委派给 SDK，而不是委派已连接/经过身份验证的用户名/密码.

总而言之，出于某种原因，IIS 并未将用户名/密码委托给 SDK.如何让 IIS 将连接的用户会话/凭据委托给另一个服务?

委托也有可能失败，因为用户使用的是NTLM"身份验证而不是 Kerberos，而服务器只会在 Kerberos 身份验证时才委托如果是这种情况，我如何强制用户使用Kerberos"身份验证而不是NTLM?

解决方案

您是否尝试启用 模拟 在您的 web.config 中?

<预><代码><配置><system.web><identity impersonate="true"/></system.web></配置>

如果这不起作用，则您可能需要在 ActiveDirectory 中为此计算机启用委派.请参阅此处:https://stackoverflow.com/a/1405666/5069465

I have an intranet application written with c# on the top of ASP.Net MVC 5 Framework. My app is configured to authenticate users via "Windows Authentication" method. This app is running on IIS 8.

My app uses a third party SDK to interact with another program I have running on the same domain. This third party app allows the user to login using Windows Authentication also via the provided SDK.

Problem

However the server where the SDK is communication with is always returning "Invalid user name/password is invalid".

After deep troubleshooting, I found out that IIS is not returning the correct username. Instead of returning the "Authenticated User" it is returning the user that is running the pool app. So, to fix this problem, I change the app settings to the following

• I disabled "Anonymous Authentication"
• I enabled "Windows Authentication"
• I enabled "ASP.NET Impersonation" while the "ASP.NET Impersonation" settings are set to "Authenticated user". Note: that this require "Classic" managed pipeline not "Integrated" for some reason.
• I change the AppPool managed pipeline setting to "Classic" v4
• Changed the user that is running the AppPool to "Network Service" instead of "ApplicationPoolId"
• Then kept the Authentication Providers list to "Negotiate" and "NTLM"
• Finally, I kept the "Kernal-mode authentication" enabled.

So the above settings returned the correct username, but is it not delegating the password to the SDK. I guess because of the communication hob, IIS is protecting the logged in user and it is not allowing me to delegate the password to another service/SDK.

So then I tried to change my setup to the following

• I change the AppPool managed pipeline setting to "Integrated" v4.0
• Changed the user that is running the AppPool to "Network Service"
• I disabled "Anonymous Authentication"
• I enabled "Windows Authentication"
• I disabled "ASP.NET Impersonation"
• The Authentication Providers list "Negotiate:Kerberos", "Negotiate" and "NTLM"
• I disabled "Kernal-mode authentication" as it won't work with "Kerberos" provider.

So the above prevented me from logging into my MVC app altogether, It just keeps on prompting me for my credential over and over.

To fix that, I located my web-server name in my domain controller, and I went to the "Delegation" tab and changed it to "Trust this user for delegation to any service (Kerberos only)"

No this setup, allowed me to login into my MVC app. But this time, it is not delegating neither the username or the password to the SDK. In fact, the username that I get is the PoolApp username not the authenticated user.

To cover all of my bases, I change the user that is AppPool to an actual user that has windows authentication access into the Server where the SDK is connecting to. Sure enough that worked just fine and I am able to connect to the second service. However, it is always delegating the username/password that is running the AppPool to the SDK instead of delegating the connected/authenticated username/password.

In conclusion, IIS is not delegating the username/password to the SDK for some reason. How can I get IIS to delegate the connected user session/credential to another service?

It is also possible that the the delegation is failing because the users are using "NTLM" authentication instead of Kerberos, yet the server will only delegate when Kerberos authentication only" If this is the case, how can I force the user to use "Kerberos" authentication instead of "NTLM?

解决方案

Have you tried to enable impersonation in your web.config?

<configuration>
    <system.web>
        <identity impersonate="true" />
    </system.web>
</configuration>

If this doesn't work than you might need to enable delegation for this machine in your ActiveDirectory. See here: https://stackoverflow.com/a/1405666/5069465

这篇关于在 IIS 8 上运行应用程序时如何委派 Windows 身份验证会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！