Windows 身份驗證在本地 IIS 7.5 上不起作用。 錯誤 401.1
[英]Windows Authentication not working on local IIS 7.5. Error 401.1
問題描述
我最近遇到了一個令人討厭的問題,讓 Windows 身份驗證在 IIS 7.5 (Windows 7 Pro) 的本地實例上運行到 ASP.net 4.0 站點。 我遵循了基本步驟。
IIS 身份驗證
- 禁用匿名身份驗證
- 啟用 Windows 身份驗證
編輯 web.config
<authentication mode="Windows" />
這在啟用 Windows 身份驗證方面做得很好,但每次登錄嘗試都被拒絕並最終返回 401.1 錯誤。 這就是問題開始的地方。 這似乎有很多原因,這些原因在網絡上都有很好的記錄,包括在 Stack Overflow 上。
我試過:
- 編輯 Windows 身份驗證的 IIS 身份驗證“高級設置”以禁用擴展保護和內核模式身份驗證
- 編輯 IIS 身份驗證“提供程序”以將 NTLM 移至協商之上。
- 編輯 IIS .NET 授權規則以明確允許用戶(和各種其他組合)。
- 各種 IIS 命令行腳本和調整。
- web.config 文件中的各種配置調整。
- 甚至一些文件系統權限調整。
但一切都無濟於事,可怕的 401.1 仍然存在。
這真是一個“見樹不見林”的案例。 我設法找到的所有解決方案(如果你願意,可以稱之為錯誤搜索參數的情況)對我有用,所以我認為值得發布這個問題,希望能提供一個明確的答案,讓遇到同樣問題的人更容易找到.
4 個解決方案
解決方案1
81 已采納 2013-07-04 09:26:46
這里的問題是,現代版本的 Windows(Windows XP SP2、Windows Server 2003 SP1 及更高版本)包含一個環回檢查安全功能,旨在幫助防止對您的計算機進行反射攻擊。 因此,如果您使用的 FQDN 或自定義主機標頭與本地計算機名稱不匹配,則身份驗證將失敗。
這可以通過明確指定主機名或禁用環回檢查來解決。 顯然,前者是更受控制的方法。
- 將 DisableStrictNameChecking 注冊表項設置為 1。請參閱: 281308 (注意:對於 Windows Server 2008/Vista 及更高版本,這應該是不必要的)
- 在注冊表編輯器中,找到並單擊以下注冊表項:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- 右鍵單擊 MSV1_0,指向新建,然后單擊多字符串值。
- 鍵入 BackConnectionHostNames,然后按 Enter。
- 右鍵單擊 BackConnectionHostNames,然后單擊修改。
- 在數值數據框中,鍵入本地計算機上站點的主機名或主機名,然后單擊確定。
- 退出注冊表編輯器,然后重新啟動 IISAdmin 服務。
有關如何執行此操作的完整詳細信息,請參閱 MSDN: 896861
希望這可以幫助某人。 如果您有任何替代建議或改進,請添加。
解決方案2
5 2015-09-16 20:20:49
我想添加 Michael Dark 的評論作為答案,因為我沒有修改注冊表的權限,所以 Pete 的答案對我不起作用,但我能夠解決問題。
我通過向我的網站添加一個沒有指定主機名和不同端口的新綁定來解決它(因為 localhost:80 用於我)。 一旦我嘗試從http://localhost:86/mypage調用它,它就起作用了。 在瀏覽器中快速檢查后,我用 cURL 測試了幾次,它正確地接受並拒絕了我的憑據。
解決方案3
2 2013-07-05 16:21:16
再次重新安裝 IIS 功能並確保選中 WINDOWS auth 復選框狀態。
解決方案4
1 2016-11-09 00:19:39
這是我用來處理反向連接主機名和 IIS 的 PowerShell 代碼。 請注意,只需做一些工作,就可以將命令行開關保存到模塊中並以這種方式使用。
Import-Module WebAdministration
function Add-BackConnectionHostname
{
<#
.SYNOPSIS
Adds the back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Adds the hostname to the list of back connection hostnames that will bypass the server loopback check. Back connection host names
can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861.
.EXAMPLE
Add-BackConnectionHostname mywebsite.mydomain.tld
.EXAMPLE
Add-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld
.PARAMETER Hostname
The Hostname to add to the back connection hostnames list.
.LINK
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
[string] $Hostname
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
$propertyValues = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
$property = New-ItemProperty $keyPath -Name $propertyName -Value $null -PropertyType ([Microsoft.Win32.RegistryValueKind]::MultiString) -ErrorAction Stop
Write-Verbose "Created the $($propertyName) property."
}
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
}
}
process
{
if ($property -ne $null)
{
foreach ($hostNameValue in $Hostname)
{
if ([string]::IsNullOrWhiteSpace($hostName) -eq $false -and $propertyValues -notcontains $hostNameValue)
{
$propertyValues += $hostNameValue
Write-Verbose "Added $($hostName) to the back connection hostnames."
}
else
{
Write-Verbose "Back connection host names already has an entry for $($hostName)."
}
}
}
}
end
{
if ($propertyValues -ne $null)
{
$propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique
Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues
}
}
}
function Remove-BackConnectionHostname
{
<#
.SYNOPSIS
Removes the hostname from the list of back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Removes the hostname from the list of back connection hostnames that will bypass the server loopback check.
.EXAMPLE
Remove-BackConnectionHostname mywebsite.mydomain.tld
.EXAMPLE
Remove-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld
.PARAMETER Hostname
The Hostname to remove from the back connection hostnames list.
.LINK
Add-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
[string] $Hostname
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
$propertyValues = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
else
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
foreach ($hostNameValue in $Hostname)
{
if ($propertyValues -contains $hostNameValue)
{
$propertyValues = $propertyValues | ? { $_ -ne $hostName }
Write-Verbose "Removed $($hostName) from the $($propertyName) property."
}
else
{
Write-Verbose "No entry for $($hostName) was found in the $($propertyName) property."
}
}
}
}
end
{
if ($property -ne $null)
{
$propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique
if ($propertyValues.Length -ne 0)
{
Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues
}
else
{
Remove-ItemProperty $keyPath -Name $propertyName
Write-Verbose "No entries remain after removing $($hostName). The $($propertyName) property was removed."
}
}
}
}
function Get-BackConnectionHostname
{
<#
.SYNOPSIS
Gets the list of back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Gets the back connection hostnames that will bypass the server loopback check. Back connection host names can be used to address
the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861.
.EXAMPLE
Get-BackConnectionHostname
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
$propertyValues = $null
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
return $propertyValues
}
end
{
}
}
function Enable-ServerLoopbackCheck
{
<#
.SYNOPSIS
Enables the server loopback check. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Enables the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address
the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details.
.EXAMPLE
Enable-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
Set-ItemProperty $keyPath -Name $propertyName -Value 0
}
}
end
{
}
}
function Disable-ServerLoopbackCheck
{
<#
.SYNOPSIS
Disables the server loopback check for all hostnames. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Disables the server loopback check for all hostnames. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used
to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details.
.EXAMPLE
Disable-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
Set-ItemProperty $keyPath -Name $propertyName -Value 1
}
else
{
$property = New-ItemProperty $keyPath -Name $propertyName -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Value 1
}
}
end
{
}
}
function Get-ServerLoopbackCheck
{
<#
.SYNOPSIS
Gets the status of the server loopback check. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Gets the status of the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used
to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for
more details.
.EXAMPLE
Get-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
)
begin
{
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
}
}
process
{
$loopbackCheckStatus = "Enabled"
if ($property -ne $null)
{
switch ($property)
{
0 { $loopbackCheckStatus = "Enabled" }
1 { $loopbackCheckStatus = "Disabled" }
default { $loopbackCheckStatus = "Unknown" }
}
}
return $loopbackCheckStatus
}
end
{
}
}
function Get-WebsiteHostname
{
<#
.SYNOPSIS
Gets the hostnames for the IP addresses bound to a web site.
.DESCRIPTION
Gets the hostnames for the IP addresses bound to a web site. Where a host header exists, the host header is used; otherwise, the IP address is looked up
in DNS to see if a PTR record exists.
.EXAMPLE
Get-WebSiteHostname $webSite
.EXAMPLE
Get-WebSiteHostname -Name 'Default Web Site'
.EXAMPLE
Get-Website | Get-WebSiteHostname
.LINK
Get-Website
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
[Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)]
[string] $Name
)
process
{
$siteHostnames = @()
foreach ($webSiteName in $Name)
{
$bindings = Get-WebBinding -Name $Name
foreach ($binding in $bindings)
{
$bindingInfo = $binding.bindingInformation.Split(':')
$hostHeader = $bindingInfo[2]
$bindingInfoAddress = $null
$isValidIP = [System.Net.IPAddress]::TryParse($bindingInfo[0], [ref] $bindingInfoAddress)
$siteHostname = $null
if ($bindingInfo -eq '*')
{
Write-Warning "The $($webSiteName) web site has a binding address set to All Unassigned."
}
elseif ([string]::IsNullOrWhiteSpace($hostHeader) -eq $false)
{
$siteHostname = $hostHeader
Write-Verbose "The $($webSiteName) web site has a host header set to $($siteHostname)."
}
elseif ($isValidIP -eq $true)
{
$siteHostname = (Resolve-DnsName $bindingInfoAddress -DnsOnly PTR -ErrorAction SilentlyContinue).NameHost
if ($siteHostname -ne $null)
{
Write-Verbose "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) that resolves to $($siteHostname)."
}
else
{
Write-Warning "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) with no PTR record."
}
}
}
if ($siteHostname -ne $null)
{
$siteHostnames += $siteHostname
}
}
return $siteHostnames | Sort -Unique
}
}
Get-Website | ?{ (Get-WebConfiguration -Filter '/system.web/authentication' -PSPath $_.PSPath).mode -eq 'Windows' } | Get-WebsiteHostname | Add-BackConnectionHostname
在IIS 7.5中使用Windows身份驗證的網站上返回當前用戶
[英]Returning current user on a website with Windows Authentication in IIS 7.5
Windows 和 IIS 7.5 上的匿名身份驗證,允許內部自動登錄和外部手動登錄
[英]windows and anonymous authentication on IIS 7.5, allow auto login for internal and manual login for external
帶有 Windows 身份驗證的 IIS 網站無法在本地 Windows 10 計算機上運行
[英]IIS website with windows authentication does not run on local Windows 10 machine
ASP.Net 5身份持久身份驗證不工作IIS 7.5空閑計時器
[英]ASP.Net 5 Identity Persisted Authentication Not Working IIS 7.5 Idle Timer
使用 asmx 的簡單 helloworld WebService 在 Windows 2008 R2 IIS 7.5 上發布時不起作用
[英]Simple helloworld WebService using asmx not working when published on Windows 2008 R2 IIS 7.5
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
HTTP 錯誤 401.1 - 未經本地 IIS 授權
IIS 7.5 Windows集成身份驗證混亂
IIS 7.5中的MVC5與Windows身份驗證:無法登錄
在IIS 7.5中使用Windows身份驗證的網站上返回當前用戶
單擊事件不起作用IIS 7.5
Windows 和 IIS 7.5 上的匿名身份驗證,允許內部自動登錄和外部手動登錄
帶有 Windows 身份驗證的 IIS 網站無法在本地 Windows 10 計算機上運行
DLLImport調用上的IIS 7.5錯誤
ASP.Net 5身份持久身份驗證不工作IIS 7.5空閑計時器
使用 asmx 的簡單 helloworld WebService 在 Windows 2008 R2 IIS 7.5 上發布時不起作用
相關標簽