ASP.NET Web 应用程序 -> Windows 身份验证 -> IIS Express -> Kerberos 或 NTLM?
ASP.NET Web Application -> Windows Authentication -> IIS Express -> Kerberos or NTLM?
使用 Windows 身份验证创建一个新的 ASP.NET Web 应用程序描述只说 "For intranet applications"。了解更多 link 指向以下站点:
描述有以下内容:
Windows Authentication
If you select Windows Authentication, the sample application will be
configured to use the Windows Authentication IIS module for
authentication. The application will display the domain and user ID of
the Active directory or local machine account that is logged into
Windows but won't include user registration or log-in UI. This option
is intended for Intranet web sites.
Alternatively, you can create an Intranet site that uses AD
authentication by choosing the On-Premises option under Organizational
Accounts. The On-Premises option uses Windows Identity Foundation
(WIF) instead of the Windows Authentication module. Some additional
steps are required in order to set up the On-Premises option, but WIF
enables features that aren't available with the Windows Authentication
module. For example, with WIF you can configure application access in
Active Directory and query directory data.
但是我无法确定该解决方案是使用 NTLM 还是 Kerberos 身份验证?还有什么方法可以在 IIS Express 中切换它吗?我试图查看 Chrome 网络选项卡中的请求,但我没有从那里获得任何信息。
我最终使用 Fiddler 查看请求,从那里我可以看到它是 NTLM,因为需要额外的往返来验证客户端。
我没有找到为 IIS Express 启用 Kerberos 的任何好方法,但使用普通的 IIS,您可以按照本指南进行操作:
身份验证流程:
要求:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
响应:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 6137
Proxy-Support: Session-Based-Authentication
请求 2:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
回复 2:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate oYIBCzCCAQegAwoBAaEMBgorBgEEAYI3AgIKooHxBIHuTlRMTVNTUAACAAAAHgAeADgAAAAVworiD/awyYeVbOYA0680pgIAAJgAmABWAAAACgDXOgAAAA9EAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgACAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIAAQAeAEQARQBTAEsAVABPAFAALQBIAEEASwBHAEwAUwBCAAQAHgBEAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgADAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIABwAIADPF56zsodMBAAAAAA==
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication
请求 3:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIKANc6AAAAD2wKVsUToYhrt08pUPhmI2WjEgQQAQAAAGDLpB1QQ6YlAAAAAA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
回复 3:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAACHgwE6ErQtUAAAAAA=
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 397
这有点难看,但是如果你看了第一个回复Authorization: Negotiate header,
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
转换为ASCII,如果包含NTLMSSP,则为NTLM。
像这样...
`?? + ?x0v?00.
+ ?7
*?H?? *?H??
+ ?7 ?B @NTLMSSP ?? ? 7 (
?: DESKTOP-HAKGLSBWORKGROUP
使用 Windows 身份验证创建一个新的 ASP.NET Web 应用程序描述只说 "For intranet applications"。了解更多 link 指向以下站点:
描述有以下内容:
Windows Authentication
If you select Windows Authentication, the sample application will be configured to use the Windows Authentication IIS module for authentication. The application will display the domain and user ID of the Active directory or local machine account that is logged into Windows but won't include user registration or log-in UI. This option is intended for Intranet web sites.
Alternatively, you can create an Intranet site that uses AD authentication by choosing the On-Premises option under Organizational Accounts. The On-Premises option uses Windows Identity Foundation (WIF) instead of the Windows Authentication module. Some additional steps are required in order to set up the On-Premises option, but WIF enables features that aren't available with the Windows Authentication module. For example, with WIF you can configure application access in Active Directory and query directory data.
但是我无法确定该解决方案是使用 NTLM 还是 Kerberos 身份验证?还有什么方法可以在 IIS Express 中切换它吗?我试图查看 Chrome 网络选项卡中的请求,但我没有从那里获得任何信息。
我最终使用 Fiddler 查看请求,从那里我可以看到它是 NTLM,因为需要额外的往返来验证客户端。
我没有找到为 IIS Express 启用 Kerberos 的任何好方法,但使用普通的 IIS,您可以按照本指南进行操作:
身份验证流程:
要求:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
响应:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 6137
Proxy-Support: Session-Based-Authentication
请求 2:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
回复 2:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate oYIBCzCCAQegAwoBAaEMBgorBgEEAYI3AgIKooHxBIHuTlRMTVNTUAACAAAAHgAeADgAAAAVworiD/awyYeVbOYA0680pgIAAJgAmABWAAAACgDXOgAAAA9EAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgACAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIAAQAeAEQARQBTAEsAVABPAFAALQBIAEEASwBHAEwAUwBCAAQAHgBEAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgADAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIABwAIADPF56zsodMBAAAAAA==
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication
请求 3:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIKANc6AAAAD2wKVsUToYhrt08pUPhmI2WjEgQQAQAAAGDLpB1QQ6YlAAAAAA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
回复 3:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAACHgwE6ErQtUAAAAAA=
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 397
这有点难看,但是如果你看了第一个回复Authorization: Negotiate header,
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
转换为ASCII,如果包含NTLMSSP,则为NTLM。
像这样...
`?? + ?x0v?00.
+ ?7
*?H?? *?H??
+ ?7 ?B @NTLMSSP ?? ? 7 (
?: DESKTOP-HAKGLSBWORKGROUP