从IIS中的WindowsAuthentication中删除NEGOTIATE [英] Remove NEGOTIATE from WindowsAuthentication in IIS

问题描述

我在IIS 7.5中运行的站点使用与实际服务器名称不同的DNS别名进行访问。在IE 8中，集成身份验证失败，但在Firefox和Chrome中一切正常。 （IE会出现几次凭据质询，然后显示401.1错误页面。）

I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)

我已经发现这是由于IE使用Kerberos（又名Negotiate） ）通过NTLM，Kerberos需要注册服务主体名称（使用SETSPN），以便正确处理DNS名称和服务器名称之间的不匹配。

I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.

我的网站但是，不需要假冒 - 只需要委派即可。因此，我只想从IIS中的WindowsAuthentication方法列表中删除Negotiate，而不是搞乱SetSPN。

My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.

我搜索了很长时间才发现如何在IIS中执行此操作。我玩了许多 appcmd 命令 - 但我找不到在线示例，或者通过阅读MSDN文档或使用 appcmd /来弄清楚如何？使 appcmd 命令仅适用于站点内的特定应用程序而不是整个Web服务器。在两天后的几个搜索小时内，以及访问过的至少三十几个网页，我仍然没有结果。

I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.

我如何完成这项工作 - - 好像应该这么容易！

How in tarnation do I get this done--it seems like it should be so easy!

推荐答案

在IIS中打开配置编辑器。它附带IIS 7.5，或者您可以下载IIS 7.0的 IIS管理包 。导航到要影响的范围（服务器，站点或应用程序），然后打开图标：

Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:

。

将Section更改为 system.webServer / security / authentication / windowsAuthentication ：

Change the Section to system.webServer/security/authentication/windowsAuthentication:

单击提供程序项，然后单击右侧的编辑项。选择协商项并单击删除：

Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":

关闭对话框并单击在<$ c中应用 $ c>操作右侧窗格。

Close the dialog and click Apply in the Actions pane on the right.

您的问题已解决！不再有Kerberos /协商！

Your problem is solved! No more Kerberos/negotiate!

注意：您还可以点击生成脚本操作窗格显示将在命令行中以C＃，javascript或appcmd进行更改的代码。

Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.

作为参考，这里是 appcmd 在不使用配置编辑器的情况下完成工作的语句。

For reference, here is the appcmd statement to do the job without using the Configuration Editor.

appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost

这篇关于从IIS中的WindowsAuthentication中删除NEGOTIATE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！