集成Windows身份验证 [英] Integrated Windows Authentication
问题描述
我们正在经历一些很奇怪的问题,集成Windows身份验证与IIS和我不知道如果我可以看到一个模式或没有。
We're experiencing some really strange problems with Integrated Windows Authentication with IIS and I'm not sure if I can see a pattern or not.
我们有一个DNS,CNAME记录叫弗雷德。我们与弗雷德的IIS网站设置主机头。当我连接到这个网站,我得到提示凭据的挑战。我希望我的凭据已经通过。如果我输入我的凭据,我授予访问权限。
We have a DNS-Cname record called Fred. We have an IIS website with Fred set as the host header. When I connect to this site I get prompted with a credential challenge. I would expect my credentials to have been passed through. If I enter my credentials I am granted access.
我然后创建一个名为贝蒂本地主机条目,指向的主机文件,相同的IP地址为弗雷德和主机头更改为贝蒂。有没有相关的CNAME记录的任何地方。当我访问贝蒂我自动通过验证,一切都很好。
I then create a local host entry called Betty and point the host file to the same IP address as Fred and change the host header to Betty. There is no associated CName record anywhere. When I access Betty I am authenticated automatically and everything is fine.
如果我试图绕过CNAME记录,并创建一个名为弗雷德本地主机文件中的条目和主机头变回弗雷德。我还收到一个身份验证的挑战。
If I attempt to bypass the CName record and create an entry in the local host file called Fred and change back the host header to Fred. I still receive an authentication challenge.
在我看来有两个问题。这是怎么CNAME记录在这里影响分辨率或者是一个红色的鲱鱼。其次发生了什么应对这一挑战?我们在其他地方类似的症状,我们关心的是,我们的身份验证令牌是越来越blatted地方。可能有人演练的顺序与身份验证,即会出现什么样的数据包被发送到什么机器。有没有一种方法,我可以跟踪这个? (我想是Wireshark或者类似的东西)。我怎样才能证明我的身份验证令牌获得通过,是有效的吗?
As I see it have two questions. How is this CName record affecting the resolution here or is it a red herring. Secondly what is happening with this challenge? We have similar symptoms elsewhere and our concern is that our authentication token is getting blatted somewhere. Could someone walkthrough the order in with Authentication occurs i.e. what packets are sent to what machines. Is there a way I can trace this? (I'm thinking WireShark or something similar). How can I prove my authentication token is getting passed and is valid?
推荐答案
究其原因,身份验证框很简单:Internet Explorer的发送您的凭据,只有当它认为主机是在本地Intranet区域(默认配置假定) 。如果外面有什么IE认为是局部的主机请求NTLM凭据,身份验证对话框将出现,你必须手动验证。
The reason for the authentication box is simple: Internet Explorer sends your credentials only if it thinks the host is in the "Local Intranet" zone (default configuration assumed). If a host outside what IE deems to be "local" asks for NTLM credentials, an authentication box will appear, and you have to authenticate manually.
如果您希望将凭据自动发送,确保IE认为它在本地Intranet。检查区域信息远在状态栏右侧看到当前活动的区域。
If you want your credentials to be sent automatically, make sure IE thinks it in "Local Intranet". Check the zone info far right on the status bar to see the currently active zone.
IE的考虑到多件事情,以便决定一个主机是否应被认为是本地Intranet:
IE takes into account multiple things in order to decide whether a host is to be considered as "Local Intranet":
- 是在本地子网的IP地址 - > YES
- 是一个简单的主机名(即没有点) - > YES
- 在IE选项:它是在站点...名单本地Intranet - > YES
- 在IE选项:这是在代理例外列表 - > YES
- 是一个UNC路径 - > YES
- 否则:NO
- 有时,旧密码存在于个人密码列表中该主机名(通过控制面板访问 - >用户帐户)。如果它是错的,类似的问题可能会发生。
我怀疑是你的主机弗雷德不符合条件#2至#4,但你的测试案例贝蒂在某种程度上确实。
My suspicion is that your host "fred" does not fulfill conditions #2 through #4, but your test case "Betty" somehow does.
有什么办法名解析(CNAME记录,A记录,主机文件等)都没有区别,因为名称解析的方法是不透明的调用应用程序。 IE只要求名称XYZ,并得到一个IP地址了。
What way the name was resolved (CName record, A record, hosts file, other) makes no difference, because the method of name resolution is opaque to the calling application. IE just asks for name "XYZ" and gets an IP address back.
最近的配置更改可能要求您清除本地DNS缓存,虽然。偶尔 IPCONFIG / FLUSHDNS 将在这里帮助,或者你可以停一停的DNS客户端服务。
Recent configuration changes can require you to clear the local DNS cache, though. An occasional ipconfig /flushdns would help here, alternatively you can stop the DNS Client service for a while.
所描述的内部逻辑应用到的主机名和安全设置的变化的基础上的结果。
The described internal logic is applied to the host name and security settings change based on the outcome.
这篇关于集成Windows身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
