简体繁体 English

AWS Elastic Load Balancer (ELB) 后面的 Windows 身份验证不起作用

[英]Windows Authentication behind AWS Elastic Load Balancer (ELB) not working

原文 2014-04-08 16:22:01 5 4 authentication/ amazon-web-services/ windows-authentication/ kerberos

I have an ASP .NET MVC 5 site that uses Windows Authentication.我有一个使用 Windows 身份验证的 ASP .NET MVC 5 站点。 The main page just displays the current Identity name (Controller.User.Identity.Name) for testing purposes.主页只显示当前身份名称 (Controller.User.Identity.Name) 用于测试目的。 After deploying the website to the server (Windows Server 2012) and enabling Windows Authentication on IIS I visit the page going directly to the server.将网站部署到服务器 (Windows Server 2012) 并在 IIS 上启用 Windows 身份验证后，我访问了直接进入服务器的页面。 It prompts for credentials, I provide my AD username/password once and it works.它提示输入凭据，我提供了一次我的 AD 用户名/密码，它可以工作。 So far so good.到现在为止还挺好。

Now, if I have the same server behind an AWS Elastic Load Balancer (only that one server) and I hit the site on the load balancer I noticed two issues:现在，如果我在 AWS Elastic Load Balancer 后面有相同的服务器（只有一台服务器）并且我在负载均衡器上访问了站点，我注意到两个问题：

The page prompts many times for credentials.该页面多次提示输入凭据。 After clicking OK several times it works.单击确定几次后，它就可以工作了。
I had a colleague login on his machine (he had to click several times too), then I went back to my computer.我有一个同事在他的机器上登录（他也必须点击几次），然后我回到我的电脑。 When I visited the url it didn't prompt.当我访问该网址时，它没有提示。 It worked right away and it said the current user was my colleague.它立即生效，并说当前用户是我的同事。

This is very strange.这很奇怪。 Almost like the Kerberos ticket is getting lost or confused because of the load balancer.几乎就像 Kerberos 票证因为负载均衡器而丢失或混淆一样。 I tried this and step 4 from here , still no luck.我尝试了这个和从这里开始的第 4 步，仍然没有运气。

Any ideas?有任何想法吗？

4 个解决方案

According to this blog post, ELB will work if you switch it to TCP mode:根据这篇博客文章，如果您将其切换到 TCP 模式，ELB 将起作用：

https://cloudninjablog.wordpress.com/2014/08/22/configuring-aws-elb-to-work-with-windows-authentication/ https://cloudninjablog.wordpress.com/2014/08/22/configuring-aws-elb-to-work-with-windows-authentication/

First thing I would do is enable the "Access Logs" option for your ELB so you can see exactly what the error may be being logged at the ELB level.我要做的第一件事是为您的 ELB 启用“访问日志”选项，这样您就可以确切地看到在 ELB 级别可能记录的错误。 You can see below on the steps on how to do that.您可以在下面查看有关如何执行此操作的步骤。 You also may want to ensure your allowing the proper ports between your ELB and your web server if they are in different security groups.如果 ELB 和 Web 服务器位于不同的安全组中，您可能还需要确保允许它们之间的正确端口。 Lastly check your IIS logs to see what information they are providing when accessing that URL via the ELB.最后检查您的 IIS 日志以查看它们在通过 ELB 访问该 URL 时提供的信息。

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-access-logs.html http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-access-logs.html

It seems Windows authentication only works with the Classic Load Balancer in TCP mode or the new Network Load Balancer.似乎 Windows 身份验证仅适用于 TCP 模式下的 Classic Load Balancer 或新的网络负载均衡器。 NTLM or Kerberos auth is not possible on L7 ie Application LB as it breaks the connections for termination, inspection or redirection (like via proxy). NTLM 或 Kerberos 身份验证在 L7 上是不可能的，即应用程序 LB，因为它会中断连接以进行终止、检查或重定向（如通过代理）。

您可能需要在 elb 上启用粘性会话，以便在 elb 后面的同一台服务器上完成身份验证和协商。