设置Kerberos身份验证与代表团IIS 7瓦特/ Windows Server 2008中 [英] Set up Kerberos Authentication with Delegation on IIS 7 w/ Windows Server 2008
问题描述
情况:
我有我的部署Web服务器上的.NET ASMX Web服务。该服务调用另一个服务器上的服务(我们的SharePoint服务器中,如果这是有关)。我想冒充/使用客户端的凭据委托调用从我的Web服务在SharePoint服务。
I have a .NET asmx web service deployed on my web server. This service calls a service on another server (our SharePoint server, if that's relevant). I want to impersonate/delegate the call to the SharePoint service from my web service by using the credentials of the client.
问题:
我得到一个401响应从SharePoint服务回来时,我打电话给我的Web服务,它调用的SharePoint。
I'm getting a 401 response back from the SharePoint service when I call MY Web Service and it calls SharePoint.
设置:
- 我的Web服务器是根据网络服务 运行IIS 7的应用程序池正在运行
- 在我的Windows Server 2003域控制器web服务器有受信委派(仅Kerberos)已启用。
- 在国际空间站我的应用程序有匿名身份验证禁用,启用模拟和Windows认证功能启用了所有三个供应商(协商:Kerberos的,协商和NTLM)
- SharePoint服务器设置为使用匿名启用,启用模拟和Windows认证功能启用的唯一供应商NTLM。
- My web server is running IIS 7. The app pool is running under "Network Service"
- On my Windows Server 2003 domain controller the web server has "Trusted for Delegation (Kerberos Only)" enabled.
- In ISS my app has Anonymous Authentication Disabled, Impersonation Enabled, and Windows Authentication Enabled with all three providers enabled (Negotiate:Kerberos, Negotiate, and NTLM)
- The SharePoint server is set up with Anonymous Enabled, Impersonation enabled and Windows Authentication Enabled with ONLY provider NTLM enabled.
我可以在SharePoint日志,当我在Visual Studio在本地运行一个用户名是越来越穿过(和服务工作正常),但是当我在Web服务器上运行它,没有用户名是日志文件,我也得到看一个401错误
I can see on the SharePoint logs that when I run locally in Visual Studio a username is getting passed through (and the service works correctly) but when I run it on the web server NO username is on the log file and I get a 401 error
什么是我设置不对的Kerberos代理工作的?
What an I setting up wrong to make the Kerberos delegation work?
想法?谢谢!
推荐答案
平台:
使用IIS7这是我做的两台服务器上。第一服务器和第二,我们要Kerberos身份验证为跳到了。
Using IIS7 this is what I did on BOTH servers. The first server and the second that we want the Kerberos authentication to "hop" to.
第1步:
对于有您呼叫(每台服务器上)进入IIS管理器在它的服务IIS网站,点击网站上的左侧下连接并打开IIS下的身份验证部分。集ASP.NET模拟来启用,Windows身份验证设置为Enabled。认证(Ananymous,表单等)下的所有其他选项应被设置为禁用。
For the IIS site that has the services in it that you are calling (on each server) go into IIS manager, click on the site on the left under Connections and open up the "Authentication" section under IIS. Set "ASP.NET Impersonation" to Enabled and 'Windows Authentication" to Enabled. All other options under Authentication (Ananymous, Forms, etc.) should be be set to Disabled.
在Windows身份验证上单击右键,选择供应商。设置为协商:Kerberos的的唯一供应商。(这迫使Kerberos的。如果你愿意,你得到Kerberos的工作,就可以同时使用谈判和NTLM提供商和删除后,协商:Kerberos的让客户无法做的Kerberos可以连接注:目前,我有我的设置为协商和NTLM,它似乎工作)
Under "Windows Authentication" right click and select "Providers". Set the only provider to be "Negotiate:Kerberos" (This forces Kerberos. If you want, after you get Kerberos working you can use both the "Negotiate" and "NTLM" providers and remove "Negotiate:Kerberos" so that clients unable to do Kerberos can connect. Note: I currently have mine set to "Negotiate" and "NTLM" and it seems to work)
在Windows身份验证上单击右键,选择高级设置。取消选中启用籽粒模式复选框。 (我的扩展保护选项设置为关闭,没有尝试别的)
Under "Windows Authentication" right click and select "Advanced Settings". Uncheck the "Enable Kernal-mode" box. (My Extended Protection option was set to off, didn't try anything else)
第二步:
对于每个服务器,您必须设置的SPN。该SPN的是下面的(A或B):
For each server you have to set up SPNs. The SPNs would be the following (either A OR B):
答:
如果您的应用程序池的IDENTITIY这是一个域帐户添加以下SPN到该域帐户在域控制器上运行的下
If your app pool is running under an IDENTITIY that is a DOMAIN ACCOUNT add the following SPNs to THAT DOMAIN ACCOUNT on the domain controller
http/COMPUTER_NETBIOS_NAME
http/COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME
http://COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME
(:HTTP / COMPUTER_NETBIOS_NAME:如果你的不是默认端口上运行,也与连接的端口名称添加额外的3项。PORT等)
(if your not running on the default port, also add an additional 3 entries with the port name attached: http/COMPUTER_NETBIOS_NAME:PORT etc.)
乙:
如果您的应用程序池的身份是网络服务下运行,然后添加相同的SPN如上除了更换HTTP与HOST但增加然后在域控制器上COMPUTER_NETBIOS_NAME。
If your app pool is running under the IDENTITY "NetworkService" then add the same SPNs as above except replace "http" with "HOST" BUT ADD THEN TO COMPUTER_NETBIOS_NAME on your domain controller.
我还在生产中实现这一点,但是这对我来说在我的测试环境是什么在起作用。我会记住这更新,我发现更多。
I'm still working to implement this in production, but this is what works for me in my Test environment. I'll keep this updated as I find out more.
注意:
这工作,如果你是当您连接直接使用COMPUTER_NETBIOS_NAME在URL中。如果您使用的是别名(www.mysite.mydomain.com)或IP地址直接,这将不起作用。我相信,虽然我还没有完全测试它,那你就必须FOLLE上述步骤,但添加的SPN时的别名或IP地址替换COMPUTER_NETBIOS_NAME。 (或与NetBIOS和别名/ IP都添加它,真的不知道)
This works if you are using the COMPUTER_NETBIOS_NAME directly in the url when you connect. If you are using a alias (www.mysite.mydomain.com) or the IP address directly this will not work. I believe, although I have not fully tested it, that you would have to folle the steps above but replace COMPUTER_NETBIOS_NAME with the alias or IP address when adding the SPNs. (or add it with both the netbios and the alias/ip, not really sure)
此外,如果你得到一个错误有关不设置有效期为一体...你打开ASP.NET模拟之后,那么你可能需要添加
Also, if you get an error about a setting not being valid for integrated... after you turn on the "ASP.NET Impersonation" then you might need to add
<validation validateIntegratedModeConfiguration="false" />
在system.webServer节你的web.config
to your web.config in the system.webServer section
这篇关于设置Kerberos身份验证与代表团IIS 7瓦特/ Windows Server 2008中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
