Windows身份验证 - Kerberos或NTLM(协商oYICO ...) [英] Windows authentication - Kerberos or NTLM (Negotiate oYICO...)
问题描述
我在Intranet应用程序中遇到单个用户的问题。客户端是WPF应用程序,它与ASP.Net Web API Web服务进行通信。
I have problems with a single user in an intranet application. The client side is a WPF application which communicates with a ASP.Net Web API Web Service.
客户端使用
HttpClientHandler handler = new HttpClientHandler()
{
AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip,
UseDefaultCredentials = true,
PreAuthenticate = true
};
在IIS上使用NTLM和协商提供程序启用Windows身份验证。
On IIS Windows authentication is enabled with NTLM and Negotiate providers.
该系统适用于所有用户,除了获得401.1但仅来自POST请求的用户。
The system works for all users except one that gets 401.1 but only from POST requests.
我目前正试图弄清楚与此有什么不同用户。我注意到的唯一一种是不同类型的授权标题。
I'm currenty trying to figure out what's different with this user. The only thing I noticed is a different kind of authorization header.
来自这里(以及许多其他资源)我读到:
From here (and many other resources) I read:
如果标题以T开头(例如:HTTP:Authorization = Negotiate TlRMTVNTU ...)那么您正在使用NTLM。 如果它以Y开头(例如:授权:协商YIILjgYGKwYB ...)那么您就成功使用了Kerberos。
If the header starts with a "T" (example: HTTP: Authorization = Negotiate TlRMTVNTU...) then you're using NTLM. If it starts with a "Y" (example: Authorization: Negotiate YIILjgYGKwYB...) then you're successfully using Kerberos.
我可以看到似乎使用Kerberos的工作请求的标头:
I can see headers for working requests that seems to use Kerberos:
Authorization: Negotiate YIIT4QYGKwYBBQUCoIIT1TCC...
标题是发送失败的用户发送
The header which is sent from the user which fails to POST looks like
Authorization: Negotiate oYICOTCCAjWgAwoBAaKCAhg...
以 o 开头。 这是NTLM还是Kerberos? POST请求的身份验证失败,但GET成功!
It starts with o. So is this NTLM or Kerberos? The authentication fails for POST request, but succeeds on GET!
推荐答案
为什么不使用Wireshark?
Why don't you use Wireshark for that?
Wireshark将检查所有流量。我将从ASN.1分解为可显示的树结构。您将看到在您的案例中使用了什么机制。此外,您将看到所有Kerberos流量,例如您的 TGS-REQ 。
Wireshark will inspect all traffic. I will break down the ticket from ASN.1 to a displayable tree structure. You'll see what mechanism is used in your case. Additionally, you'll see all the Kerberos traffic, e.g., your TGS-REQ.
这篇关于Windows身份验证 - Kerberos或NTLM(协商oYICO ...)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
