IIS：使用Kerberos与客户端计算机上没有的域 [英] IIS: Using Kerberos with client computers that are not on the domain

问题描述

一台电脑不属于域的一部分（但在网络上）验证对通过IIS8发布的Web站点，该站点的认证是Windows身份验证只与单一供应商可以协商： Kerberos的（和禁用内核模式身份验证）？

Can a computer that is NOT a part of the domain (but is on the network) authenticate against to a web site published by IIS8 where the authentication for that site is "Windows Authentication" only with a single provider of "Negotiate:Kerberos" (and with Kernel-mode authentication disabled)?

我问，因为我想就是这样做的，但我不能让过去的身份验证的网站（尚未单独试图验证传递给数据库）。我看到WWW验证：谈判头的响应到客户端，而客户端永远只能似乎发送NTLM类型1：谈判（NTLMSSP）在随后（重新）请求。如果不是这样，我是跨preting从Fiddler2的结果不正确！

I ask because I am trying to do just this, but I cannot get past the authentication to the site (yet alone trying to pass the authentication to the database). I see the "WWW-Authenticate: Negotiate" header on the response to the client, but the client only ever seems to send a "NTLM Type1: Negotiation" (NTLMSSP) in the subsequent (re)requests. Either that or I am interpreting the results from Fiddler2 incorrectly!

我使用Kerberos作为大部分客户会域的计算机，我需要从Web应用程序传递用户凭据到数据库中。我希望我能够与非域计算机做同样的，他们只会提示输入用户名/域/密码将被验证，并转换为Kerberos票据的服务器上。

I am using Kerberos as most of the clients will be domain computers and I need to pass user credentials from the web application back to the database. I was hoping that I would be able to do the same with non-domain computers and they would simply be prompted for a username/domain/password that would be validated and converted to a Kerberos ticket on the server.

请注意，对于测试的目的，视窗8是在服务器和客户端。在生产中，服务器将的Windows 2008 R2服务器和客户端将是主要的Windows 7（虽然会有一些Windows 8的客户端）。

Note that for testing purposes, Windows 8 is both the server and the client. In production, the server will be Windows 2008 Server R2 and the client will be primarily Windows 7 (though there will be some Windows 8 clients).

推荐答案

Kerberos的意志的不可以应收/计算机不属于域的一部分工作。 你有两个选择才达到你的目标：

Kerberos will not work on accounts/computers which are not part of the domain. You have two options to achive your goal:

1. 在请求与基本身份验证的用户数据，并传递给 LogonUserEx 。请参见这的答案。
2. 验证通过其他方式对用户和使用 S4U2self （协议转换）。

1. Request the user data with Basic auth and pass that to LogonUserEx. See this for answers.
2. Authenticate the user by other means and use S4U2self (protocol transition).

这篇关于IIS：使用Kerberos与客户端计算机上没有的域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！