[英]Moving my website to different server changes authentication from Kerberos to NTLM
I have a webservice that is configured for Windows Authentication. 我有为Windows身份验证配置的Web服务。 The client code that invokes the WS passes along the credentials to the WS as follows: 调用WS的客户端代码将凭据传递给WS,如下所示:
myWebService.Credentials = System.Net.CredentialCache.DefaultCredentials;
(my understanding is that this represents the username-password-domain of logged on user). (我的理解是,这代表已登录用户的用户名-密码域)。
I am testing configuration issues and confused about how to ensure Kerberos is set. 我正在测试配置问题,并对如何确保设置Kerberos感到困惑。
DETAILS Follow: 详细说明:
I have 2 virtual directories on the same IIS server (one is a "client" with .aspx pages) and the other is the "server" (it hosts a webservice that the client invokes). 我在同一IIS服务器上有2个虚拟目录(一个是带有.aspx页的“客户端”),另一个是“服务器”(它承载客户端调用的Web服务)。
My client displays key info about the connecting user via this code: 我的客户端通过以下代码显示有关连接用户的关键信息:
private string GetUserInfo()
{
System.Security.Principal.WindowsIdentity UserIdentityInfo;
StringBuilder msg = new StringBuilder("User Name: ");
UserIdentityInfo = System.Security.Principal.WindowsIdentity.GetCurrent();
msg.Append(UserIdentityInfo.Name);
msg.Append(Environment.NewLine);
msg.Append(" Token: ");
msg.Append(UserIdentityInfo.Token.ToString());
msg.Append(Environment.NewLine);
msg.Append(" Authenticated: ");
msg.Append(UserIdentityInfo.AuthenticationType);
msg.Append(Environment.NewLine);
msg.Append(" System: ");
msg.Append(UserIdentityInfo.IsSystem);
msg.Append(Environment.NewLine);
msg.Append(" Guest: ");
msg.Append(UserIdentityInfo.IsGuest);
msg.Append(Environment.NewLine);
msg.Append(" Anonymous: ");
msg.Append(UserIdentityInfo.IsAnonymous);
msg.Append(Environment.NewLine);
return msg.ToString();
}
Authentication type is Kerberos when BOTH webclient and the called webservice are on the same server (eg. SERVER1). 当两个webclient和被调用的webservice都在同一服务器(例如SERVER1)上时,身份验证类型为Kerberos 。 Actual execution works correctly too. 实际执行也正确。
Authentication type changes to NTLM when this same webclient code in invoked but it now resides on SERVER2 . 当调用相同的Web客户端代码时,身份验证类型更改为NTLM ,但现在位于SERVER2上 。 The called webservice still resides on the original server (SERVER1). 被调用的Web服务仍驻留在原始服务器(SERVER1)上。 Actual execution FAILS because the credentials are not correct. 实际执行失败,因为凭据不正确。
SERVER1 and SERVER2 are on the same local area network (same DOMAIN) and the domain account I use for testing each scenario above is the same (I am in Administrators group on each machine). SERVER1和SERVER2在同一局域网(相同的DOMAIN)上,并且我用于测试上述每种情况的域帐户是相同的(我在每台计算机的Administrators组中)。
How can I configure this so KERBEROS is the authentication type - that is, when this client on SERVER2 is invoked from a browser by "me"? 我该如何配置它,使KERBEROS成为身份验证类型-也就是说,当SERVER2上的此客户端由浏览器由“ me”调用时?
Please see my comment above. 请在上方查看我的评论。 ServerFault site is perhaps better place for this question and sure enough a post there was quickly answered beautifully. ServerFault站点可能是解决此问题的好地方,并且肯定在那里的帖子很快得到了漂亮的回答。 Answer at: 回答:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.