从 IIS 中的 WindowsAuthentication 中删除 NEGOTIATE [英] Remove NEGOTIATE from WindowsAuthentication in IIS

问题描述

我有一个在 IIS 7.5 中运行的站点，该站点使用不同于实际服务器名称的 DNS 别名进行访问.在 IE 8 中，集成身份验证失败，但在 Firefox 和 Chrome 中一切正常.(IE 多次提出凭据质询，然后显示 401.1 错误页面.)

I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)

我发现这是由于 IE 在 NTLM 上使用 Kerberos(又名协商")，而 Kerberos 需要注册服务主体名称(使用 SETSPN)，以便 DNS 名称和服务器名称之间的不匹配正确处理.

I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.

然而，我的网站不需要模拟——拥有授权就足够了.因此，我不想弄乱 SetSPN，而是想从 IIS 中的 WindowsAuthentication 方法列表中删除协商".

My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.

我已经搜索了很长时间来了解如何在 IIS 中执行此操作.我玩过许多 appcmd 命令——但我就是找不到在线示例，或者通过阅读 MSDN 文档或使用 appcmd/? 来制作 appcmd 命令仅适用于站点内的特定应用程序，而不适用于整个 Web 服务器.两天后的几个搜索小时，至少访问了 3 打网页，我仍然没有结果.

I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.

我是如何完成这项工作的——看起来应该很容易！

How in tarnation do I get this done--it seems like it should be so easy!

推荐答案

在 IIS 中打开配置编辑器.它带有 IIS 7.5，或者您可以下载用于 IIS 7.0 的 IIS 管理包.导航到您要影响的范围(服务器、站点或应用程序)，然后打开图标:

Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:

.

将部分更改为 system.webServer/security/authentication/windowsAuthentication:

点击providers项，然后点击右侧的Edit Items.选择协商"项，点击删除":

Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":

关闭对话框并点击右侧Actions窗格中的Apply.

Close the dialog and click Apply in the Actions pane on the right.

你的问题解决了！不再需要 Kerberos/协商！

Your problem is solved! No more Kerberos/negotiate!

注意:您还可以单击操作窗格中的 Generate Script 以显示将在 C#、javascript 或命令中使用 appcmd 进行更改的代码行.

Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.

作为参考，这里是 appcmd 语句，可以在不使用配置编辑器的情况下完成这项工作.

For reference, here is the appcmd statement to do the job without using the Configuration Editor.

appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost

这篇关于从 IIS 中的 WindowsAuthentication 中删除 NEGOTIATE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！