[英]Asp site works with Win7 IE 11 but not with Win10 IE11
so we have this old asp site (that just won't die). 所以我们有这个旧的asp站点(不会死)。
It's currently sitting on win2k12, it's setup with spn's and kerberos delegation. 它目前坐在win2k12上,它与spn和kerberos代表团一起设置。 It uses a Com+ object that runs a .vbs that does a lot of talking with active directory.
它使用一个运行.vbs的Com +对象,与活动目录进行大量交谈。
We are starting to roll out our windows 10 implementation. 我们开始推出我们的Windows 10实现。
In our dev environment, it works with win7/IE11 and win10/IE11 In our production environment, win7/IE11 has worked (and still does) but win10/IE11 is not working. 在我们的开发环境中,它适用于win7 / IE11和win10 / IE11在我们的生产环境中,win7 / IE11已经工作(现在仍然有效),但win10 / IE11无效。
Some of the error messages are 一些错误消息是
Active Directory error '80040e37'
Active Directory错误'80040e37'
The specified directory service attribute or value does not exist.指定的目录服务属性或值不存在。
Error getting attribute max range
获取属性最大范围时出错
Attribute: [givenName]属性:[givenName]
Error description: [-2147463153] The attempted action violates the DS schema rules.错误说明:[ - 2147463153]尝试的操作违反了DS架构规则。
Normally these would point to the website not being configured properly but it's working fine for everyone on win7. 通常这些指向网站没有正确配置,但它对win7上的每个人都很好。
So that would point the finger towards the win10 implementation. 因此,这将指向win10实现。
What in windows 10 would be causing this issue? Windows 10中会出现什么问题? (Maybe a specific misconfigured gpo?) I'm stumped.
(也许是一个特定的错误配置的gpo?)我很难过。
Update 1-. 更新1-。
GPOs don't seem to the problem. GPO似乎没有问题。 It's the same gpo set regardless if it's win7 or win10 (no filtering by wmi).
它是相同的gpo集合,无论它是win7还是win10(没有被wmi过滤)。
So the site works in Windows8/ie11 and it also works in Chrome on win7 (after a few tweaks to enable kerberos) 因此该网站适用于Windows8 / ie11,它也适用于win7上的Chrome(经过一些调整以启用kerberos)
I've managed to create a little test page that cause the issue. 我设法创建了一个导致问题的小测试页面。
Dim oSysInfo
dim user
'on error resume next
'Get the Current Users information. This information is just the currently logged on user
' Set oSysInfo = Server.CreateObject("ADSystemInfo")
'Get Current User Object
sURL= "LDAP://AUsersDistinguishedName"
response.write(sURL & "<br />")
on error resume next
Set user = GetObject(sURL)
pAttribute = "givenName"
'response.write(user.get(pAttribute))
Dim cl, sc, pr, pr2, pAttribute
Set cl = GetObject(user.Schema)
'Test(user)
Set sc = GetObject(cl.Parent)
Set pr = sc.GetObject("Property", pAttribute)
response.write(pr.MaxRange)
Set cl = Nothing
Set sc = Nothing
Set pr = Nothing
'-2147463155: Not found in directory cache, that means the MaxRange property is empty or not set, so there is no error
if err.number <> 0 and err.number <> -2147463155 then
Response.Write "<br>Error description: [" & err.number & "] " & err.Description
End If
--- Update 2. ---更新2。
I'll add more information about the IIS server. 我将添加有关IIS服务器的更多信息。
Update 3: I've gotten Microsoft involved with one of my msdn incident. 更新3:我让微软参与了我的一个msdn事件。 When we did a network monitoring trace, there seems to be an issue with kerberos.
当我们进行网络监控跟踪时,kerberos似乎存在问题。
Working - dev with windows10 Ticket: Realm: ourRealm, Sname: ldap/DomainControllerFQN 工作 - 开发与windows10票证:领域:ourRealm,Sname:ldap / DomainControllerFQN
Working - Prod with windows7 Ticket: Realm: ourRealm, Sname: ldap/DomainControllerFQN 工作 - 使用windows7生成Ticket:Realm:ourRealm,Sname:ldap / DomainControllerFQN
Not working - Prod with windows10 Ticket: Realm: ourRealm, Sname: Name of account running the website. 不工作 - 用windows10制作票证:Realm:ourRealm,Sname:运行网站的帐户名称。 all the request falls to NLMP ( ntlm) and not using kerberos
所有请求都归结为NLMP(ntlm)而不是使用kerberos
As for spn, they are the same between both environments. 至于spn,它们在两种环境之间都是相同的。 When we do setspn -l Webserver, this is a subset of them.
当我们执行setspn -l Webserver时,这是它们的一个子集。
On the delegation tab for the webserver, it's set to 在Web服务器的委托选项卡上,它设置为
"Trust this computer for delegation to any service (Kerberos only)"
Here are screenshots of the IIS Authentication section 以下是IIS身份验证部分的屏幕截图
-- Update 4 - 更新4
here are the output of the Klist information after hitting the website in both environments (I did a klist purge on the workstation before hand) 这是在两个环境中点击网站后的Klist信息的输出(我在工作站上进行了klist清除)
Windows 10 - dev - working Windows 10 - 开发 - 工作
Cached Tickets: (4)
#0> Client: MyUser @ DomainFqn
Server: krbtgt/DomainFqn @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 11/28/2017 10:27:10 (local)
End Time: 11/28/2017 20:27:10 (local)
Renew Time: 12/5/2017 10:27:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: DomainControllerFqn
#1> Client: MyUser @ DomainFqn
Server: krbtgt/DomainFqn @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 11/28/2017 10:27:10 (local)
End Time: 11/28/2017 20:27:10 (local)
Renew Time: 12/5/2017 10:27:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DomainControllerFqn
#2> Client: MyUser @ DomainFqn
Server: cifs/resourceServer @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 11/28/2017 10:27:11 (local)
End Time: 11/28/2017 20:27:10 (local)
Renew Time: 12/5/2017 10:27:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DomainControllerFqn
#3> Client: admlareaua @ DomainFqn
Server: HTTP/webserverFQN @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 11/28/2017 10:27:10 (local)
End Time: 11/28/2017 20:27:10 (local)
Renew Time: 12/5/2017 10:27:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DomainControllerFqn
Windows 10 - Prod- Not working Windows 10 - Prod-不工作
#0> Client: MyUser @ DomainFqn
Server: krbtgt/DomainFqn @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 11/28/2017 9:14:10 (local)
End Time: 11/28/2017 19:14:10 (local)
Renew Time: 12/5/2017 9:14:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DomainControllerFqn
#1> Client: admhqlareaua @ DomainFqn
Server: HTTP/WebServerFQN @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 11/28/2017 9:14:10 (local)
End Time: 11/28/2017 19:14:10 (local)
Renew Time: 12/5/2017 9:14:10 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DomainControllerFqn
Windows 7 - Prod- Working Windows 7 - 产品
Cached Tickets: (3)
#0> Client: MyUser @ DomainFqn
Server: krbtgt/DomainFqn @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 11/28/2017 9:17:24 (local)
End Time: 11/28/2017 19:17:24 (local)
Renew Time: 12/5/2017 9:17:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: MyUser @ DomainFqn
Server: krbtgt/DomainFqn @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 11/28/2017 9:17:24 (local)
End Time: 11/28/2017 19:17:24 (local)
Renew Time: 12/5/2017 9:17:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: MyUser @ DomainFqn
Server: HTTP/WebServerFQN @ DomainFqn
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 11/28/2017 9:17:24 (local)
End Time: 11/28/2017 19:17:24 (local)
Renew Time: 12/5/2017 9:17:24 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Update 5 - 更新5 -
So for run, i created a quick mvc site and put it as a sub site to the non working site. 因此,对于run,我创建了一个快速mvc站点并将其作为子站点放到非工作站点。
I made the following controller. 我制作了以下控制器。
public JsonResult GetList2()
{
var st = new List<string>();
var currSchema = ActiveDirectorySchema.GetCurrentSchema();
st.Add(currSchema.Name);
foreach (ActiveDirectorySchemaProperty property in currSchema.FindAllProperties())
{
st.Add($"{property.Name} - {property.RangeUpper}");
}
return Json(st, JsonRequestBehavior.AllowGet);
}
It seems to work fine and gives me the maxlength values I want. 它似乎工作正常,并给我我想要的maxlength值。 So I think i'm going to throw in the towel on this issue and continue with the re-write to c# of the application.
所以我想我会在这个问题上放弃,继续重写到应用程序的c#。
Update - 6 (6 months later). 更新 - 6(6个月后)。
It turns out that the issue is with Credential guard. 事实证明,问题在于凭证保护。 (another old application was starting to get the same type of issue)
(另一个旧的应用程序开始得到相同类型的问题)
We turned off credential guard in the registry and the application worked fine. 我们关闭了注册表中的凭证保护,应用程序运行正常。
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations
(from the link) (来自链接)
Kerberos Considerations
Kerberos注意事项
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption.
启用Windows Defender Credential Guard后,您将无法再使用Kerberos无约束委派或DES加密。 Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.
无约束委派可以允许攻击者从隔离的LSA进程中提取Kerberos密钥。 Use constrained or resource-based Kerberos delegation instead
请改为使用受约束或基于资源的Kerberos委派
So I'll have to look into I guess constrained or resource-based Kerberos 因此,我将不得不考虑我认为受限制或基于资源的Kerberos
So credential guard seems to be the big culprit. 因此,凭证守卫似乎是罪魁祸首。 I've opened up another question to try and point point that issue - Switching application to use Constraint based kerberos
我打开了另一个问题,尝试并指出问题 - 将应用程序切换为使用基于约束的kerberos
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.