IIS Windows身份验证怪异 [英] IIS Windows Authentication weirdness

问题描述

我有一个包含两个网站的网络服务器：a& b。

a是生产。

I have a web server with two websites: a & b.
a is production.

b正在测试/暂存。

b is testing/staging.

在我之前编写这些应用程序的人依赖于

Whoever wrote these apps before me relies on

Request.ServerVariables("LOGON_USER") 

当用户通过Windows身份验证对服务器进行身份验证时分配。在a，这很好用，在b上有一些奇怪的事情：

which is assigned when the user authenticates against the server via Windows Authentication. On a, this works great, on b there's some weirdness:

我得到了我的登录提示，但我不能使用[domain] \ myusername登录，我虽然可以使用\\ myusername，相同的密码（基于AD）。据我所知，IIS配置是完全相同的，唯一不一致的是从a.domain.com指向b.domain.com的DNS CNAME。将DNS记录更改为指向IP修复了问题，但我正在尝试了解发生了什么。

I get my login prompt, but i can't use [domain]\myusername to login, I can do it with \\myusername though, same passwords (AD based). The IIS configs are identical as far as I can tell, the only inconsistency is a DNS CNAME pointing from a.domain.com to b.domain.com. Changing that DNS record to point at the IP fixed the problem, but I'm trying to understand what was going on.

以前的DNS记录： b.domain.com> a.domain.com

工作DNS记录： b.domain.com> 10.0.x.131

应该是b> a>常规的Windows身份验证，但出于某种原因，我发现自己使用了\是，它在域名上加两次还是什么？关于身份验证到底是什么？

It should've been b > a > regular windows authentication, but for some reason I found myself using \\ , is it tacking on the domain name twice or something? And what exactly is \\ in regards to authentication?

有意义吗？

推荐答案

一些想法。

• 您的服务器在哪个特定版本的操作系统下运行？特别是微软在不同版本中的行为往往有所不同，文档是特定于版本的

• Which specific version of the OS is your server running under? Microsoft in particular tends to have somewhat different behaviors across different versions, and the documentation is version-specific

很难回答发生了什么的问题，因为无法确定什么是正确的。我可以抛弃假设（和意志），如果你能把这个问题说成如何解决这个问题而不是发生了什么你可以检查我是否正确并做出回应，可能已经获得了一些一路上有更多相关数据。

It's difficult to answer "what's going on" questions because there's no way to be sure what's correct. I can toss out hypotheses (and will), and if you could phrase the question as a "how do I fix this" rather than a "what's going on" you could check if I'm right and respond, probably having acquired a bit more pertinent data along the way.

这听起来更像是深入系统管理理解而不是编程理解 - 如果你没有得到你需要的东西，你可能有更好的运气询问服务器故障。

This sounds like it's more about deep system administration understanding than programming understanding - if you don't get what you need here, you might have better luck asking on serverfault.

在没有其他信息的情况下，据说 最有可能是两件事之一造成的。

That having been said, in the absence of other information, the "\" most likely results from one of two things.

你可能有两个不同的代码部分，每个代码都添加'\'。在许多情况下，域名在有和没有尾随'\'的情况下都有效。因此，很可能Windows身份验证在域名之后和登录ID之前立即添加一个，以确保两者之间的分离。如果您的DNS CNAME查找是出于类似原因在域名末尾自动添加一个，则两者可能会堆叠。

It's possible that you have two different parts of the code that each adds a '\' on. Domain Names are in many cases valid both with and without the trailing '\'. Thus, it's quite possible that windows authentication adds one immediately after domain names and before login ids in order to ensure the separation between the two. If your DNS CNAME lookup is automatically adding one at the end of the domain name for similar reasons, the two might stack.

DNS中的某个地方可能会处理域名可能已通过转换器将控制字符更改为转义字符（作为避免某些安全漏洞的方法）。 '\'用作此类转义字符的基础，因此需要自己的转义字符（'\'）。

It's possible that somewhere in the DNS process the domain may have gone through a converter to change control characters into escape characters (as a way of avoiding certain security exploits). '\' is used as the basis of such escape characters, and thus requires an escape character of its own ('\').

这篇关于IIS Windows身份验证怪异的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！