ASP.NET Windows 身份验证拒绝来自 RDP 用户的访问
ASP.NET Windows authentication deny access from RDP user
我已经从 VS 模板 (MVC) 设置了一个 Web 应用程序,然后启用 Windows 身份验证。
<authentication mode="Windows" />
<authorization>
<allow roles="ABC\Domain Users" />
<deny users="*" />
</authorization>
然后将 Web 应用程序发布到 IIS 服务器。
它工作正常,当从客户端计算机请求应用程序的索引页面时,它会自动登录,使用以下 link http://myteamserver.mycompany/myapplication.
使用 IE 进行测试
但是如果我 RDP 到服务器(\myteamserver.mycompany 托管 IIS),并在 IE 中打开相同的 link,即使输入了正确的凭据,它也会不断提示输入凭据,我被拒绝访问。
错误信息:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
问题:运行 客户端计算机上的 IE 和服务器上的 IE 有什么区别?
我检查服务器上的 IE 设置,"Enable Integrated Windows Authentication" 已检查。我还通过 RDP 连接到另一台服务器,从那里我可以毫无问题地访问 Web 应用程序。
原来是 Windows 的安全功能:
症状:
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
原因:
.. a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
如果我使用本地主机或 IP 而不是 FQDN,它就可以工作。
我已经从 VS 模板 (MVC) 设置了一个 Web 应用程序,然后启用 Windows 身份验证。
<authentication mode="Windows" />
<authorization>
<allow roles="ABC\Domain Users" />
<deny users="*" />
</authorization>
然后将 Web 应用程序发布到 IIS 服务器。
它工作正常,当从客户端计算机请求应用程序的索引页面时,它会自动登录,使用以下 link http://myteamserver.mycompany/myapplication.
但是如果我 RDP 到服务器(\myteamserver.mycompany 托管 IIS),并在 IE 中打开相同的 link,即使输入了正确的凭据,它也会不断提示输入凭据,我被拒绝访问。
错误信息:
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.
问题:运行 客户端计算机上的 IE 和服务器上的 IE 有什么区别?
我检查服务器上的 IE 设置,"Enable Integrated Windows Authentication" 已检查。我还通过 RDP 连接到另一台服务器,从那里我可以毫无问题地访问 Web 应用程序。
原来是 Windows 的安全功能:
症状:
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
原因:
.. a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
如果我使用本地主机或 IP 而不是 FQDN,它就可以工作。