asp.net-mvc 无法通过本地 IIS 获得 Windows 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7387156/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Unable to get windows authentication to work through local IIS
提问by David
So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
所以我使用 Intranet 模板创建了一个新的 ASP.NET MVC 项目。web.config 包含适当的值(例如<authentication mode="windows"/>)。
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
如果我使用 VS 网络服务器启动网络应用程序,一切看起来都很好 - 该页面显示了我的 Windows 域和用户名等等。但是,这在 Opera 和 Safari 以及 IE 和 FF 中都有效,这对我说它根本不使用 Windows 身份验证(据我所知,这在除 IE/FF 之外的任何浏览器中都不起作用)。
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
下一步是让它通过本地 IIS 工作。我创建了一个将 www.mysite.mydomain 指向 127.0.0.1 的主机文件条目。因此,在 IIS 中,我创建了绑定到 www.mysite.mydomain 的网站,并启用 Windows 身份验证并禁用匿名身份验证。
I have set up IE and FF to enable Windows auth as follows:
我已设置 IE 和 FF 以启用 Windows 身份验证,如下所示:
IE
IE
- Add URL to intranet group
- Ensure Windows auth is enabled in the advanced settings
- 将 URL 添加到内网组
- 确保在高级设置中启用 Windows 身份验证
FF
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
将“www.mysite.mydomain”放入 network.automatic-ntlm-auth.trusted-uris 配置设置中。
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
但是当我在 IE / FF 中拨打 www.mysite.mydomain 时,我得到一个登录提示。有趣的是,即使我在此处输入 Windows 登录信息,它仍然失败并再次显示登录提示。
We don't have active directory here but my understanding is that it should work fine with a local account.
我们这里没有活动目录,但我的理解是它应该适用于本地帐户。
I can't think of anything else I need to do. Any suggestions?
我想不出还有什么我需要做的。有什么建议?
Edit: we've recently switched to using Active Directory and the problem remains.
编辑:我们最近切换到使用 Active Directory,但问题仍然存在。
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
编辑:当我取消登录提示时,我被带到一个“IIS 7.5 详细错误”页面,其中包含以下信息:
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.**
HTTP 错误 401.2 - 未经授权 由于身份验证标头无效,您无权查看此页面。**
回答by Kevin Stricker
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
您必须将主机文件中指定的域列入白名单,以便 Windows 身份验证工作:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - Right-click Parameters, click New, and then click DWORD (32-bit) Value.
- Type
DisableStrictNameCheckingand press ENTER. - Double-click the
DisableStrictNameCheckingregistry value and type 1 in the Value data box, click OK - In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 - Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type
BackConnectionHostNames, and then press ENTER. - Right-click
BackConnectionHostNames, and then click Modify. - In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart the IISAdmin service.
- 单击开始,单击运行,键入 regedit,然后单击确定。
- 在注册表编辑器中,找到以下注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - 右键单击“参数”,单击“新建”,然后单击“DWORD(32 位)值”。
- 键入
DisableStrictNameChecking并按 ENTER。 - 双击
DisableStrictNameChecking注册表值并在数值数据框中键入 1,单击确定 - 在注册表编辑器中,找到并单击以下注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 - 右键单击 MSV1_0,指向新建,然后单击多字符串值。
- 键入
BackConnectionHostNames,然后按 ENTER。 - 右键单击
BackConnectionHostNames,然后单击修改。 - 在“数值数据”框中,键入本地计算机上站点的主机名或主机名,然后单击“确定”。
- 退出注册表编辑器,然后重新启动 IISAdmin 服务。
NOTE: The original Microsoft KB links on this answer were broken and have been removed. This articleprovided the instructions for setting DisableStrictNameChecking.
注意:此答案上的原始 Microsoft KB 链接已损坏并已删除。 本文提供了设置 DisableStrictNameChecking 的说明。
回答by James Johnson
Did you try putting the domain in front of the user name?
您是否尝试将域放在用户名前面?
DOMAIN\username
If you don't have a domain account, try prefixing your username with the machine name:
如果您没有域帐户,请尝试在您的用户名前添加机器名称:
MYCOMPUTER\myusername
回答by kabaros
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
我最近花了三天时间试图解决同样的问题,这让我发疯了。它发生在负载平衡设置中,其中一台服务器正确进行身份验证,而另一台服务器失败。调查问题 - 并最终解决它 - 结果证明它与负载平衡环境无关,当使用 Windows 身份验证进行身份验证时,任何服务器都可能发生这种情况,并且使用 Active Directory 识别的名称以外的名称调用服务器
1. Enable Kerberos logging
1. 启用 Kerberos 日志记录
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
要正确诊断您的问题,您需要在托管 IIS 站点的计算机上启用 Kerberos 日志记录。为此,请添加以下注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add Registry Value LogLevelwith ValueType REG_DWORDand value 0x1.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
添加具有 ValueType REG_DWORD和值 0x1 的注册表值LogLevel。
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED(this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWNthat means your AD controller doesn't recognize your server therefore you need to follow the steps below.
一旦您打开日志记录,然后您尝试进行身份验证,您将在 Windows 应用程序日志中记录错误。您可以忽略错误KDC_ERR_PREAUTH_REQUIRED(这只是握手的一部分),但如果您收到错误KDC_ERR_C_PRINCIPAL_UNKNOWN,这意味着您的 AD 控制器无法识别您的服务器,因此您需要按照以下步骤操作。
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
如果您收到 KDC_ERR_C_PRINCIPAL_UNKNOWN,则意味着名称“mysite.mydomain.com”与 AD 识别您的机器的方式不同,因此无法提供有效的 kerberos 票证。在这种情况下,您需要在 AD 上为“www.mysite.mydomain”注册服务主体名称 (SPN)。
On your AD controller, run this command - you will need Domain Admin privilege:
在您的 AD 控制器上,运行此命令 - 您将需要域管理员权限:
Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME
3. Use a custom identity for your Application pool
3. 为您的应用程序池使用自定义身份
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
最后,让您的应用程序池使用属于 Active Directory 的自定义帐户,而不是使用 NetworkService。这可以在应用程序池的高级设置中完成。
and .. voila.
和 .. 瞧。
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
注意:问题可能(不太可能)与将多个 SPN 注册到同一台机器有关,在这种情况下,您需要运行命令来删除重复的 SPN,但我怀疑是这种情况。还可以尝试向您的站点添加不同的绑定(不使用自定义名称),例如 htttp://localhost:custom_port_number 并查看身份验证是否有效。如果它有效,这是一个额外的迹象,表明您遇到了与我相同的问题。
回答by Peter
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/for more info, see quoted section below.
您应该检查是否安装/启用了 Windows 身份验证。这听起来可能很奇怪,但在 IIS 7 中,您必须安装并启用各种身份验证方法。查看http://support.microsoft.com/kb/942043/了解更多信息,请参阅下面引用的部分。
Cause 1
The Web application is configured to use Integrated Windows authentication. However, the Windows Authentication feature is not turned on. Or, the Integrated Windows authentication native module section of the ApplicationHost.config file or of the Web.config file is not valid. To resolve this problem, see Resolution 1.
原因 1
Web 应用程序配置为使用集成 Windows 身份验证。但是,Windows 身份验证功能未打开。或者,ApplicationHost.config 文件或 Web.config 文件的集成 Windows 身份验证本机模块部分无效。要解决此问题,请参阅解决方案 1。
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
原始
通常,当您尝试查看托管在 IIS 上的 asp.net 网页并收到登录提示时,这并不意味着您的凭据未收到或您未通过身份验证。这意味着您的网站运行所在的帐户没有正确的权限来处理这些文件。
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
在 IIS 6 和 7 中,您可以轻松更改运行应用程序池的用户帐户。请尝试更改应用程序池标识的帐户有专门为此设计的更多的访问。或者,如果您想坚持使用现有帐户(IUSR_?网络服务?),您可以授予该帐户更多对网站存储目录的权限。
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
本文专门针对 BizTalk,但几乎没有提及它,重点是解决 IIS 和应用程序池的权限问题:http: //msdn.microsoft.com/en-us/library/aa954062.aspx
回答by Raul Uria
Why local IIS? Can you use local IIS Express?
为什么是本地 IIS?可以使用本地IIS Express吗?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
如果是这样,试试这个。看来,IIS快递默认有Windows身份验证设置为false。
Change
改变
<windowsAuthentication enabled="false">
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
applicationhost.config 文件中的“true”(在“C:\Users[Profile]\Documents\IISExpress\config”文件夹下)。这对我有用。
回答by Espen Burud
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Articlewhich describes IE and IIS requirements in details.
为了确保IIS使用Windows身份验证,我认为您应该尝试关闭其他身份验证方法。如果启用匿名身份验证,Windows 身份验证将不起作用。您还可以阅读这篇Microsoft 支持文章,其中详细描述了 IE 和 IIS 要求。
回答by Rakesh Karthik
I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
启用 Windows 身份验证时出现此错误。我想根据 Windows 登录授权用户,但我的应用程序中没有登录页面。
I got the error fixed by adding the below in my Web configfile.
Under the tag system.web, I changed authentication mode="None"to
authentication mode="Forms".
我通过在我的Web config文件中添加以下内容来修复错误。根据标签system.web,我换authentication mode="None"到
authentication mode="Forms"。
Under the tag appSettings, I added add key="owin:AutomaticAppStartup" value="false"
在标签下appSettings,我添加了add key="owin:AutomaticAppStartup" value="false"
回答by Roland
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
阅读 Espen Burud 的答案后,我通过更改根目录的 web.config 解决了我的问题:
<allow users="*" />
to
到
<deny users="?" />
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with deny users ?but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.
需要 Windows 身份验证的页面不在根目录中,而是在具有自己的 web.config 的子目录中,deny users ?但这并没有使 Windows 身份验证工作。显然,您需要拒绝 root 中的用户才能使其工作。
The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
IIS 配置启用了匿名身份验证;没关系。在 web.config 的上述更改后,Windows 身份验证工作。
回答by RichieMN
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
对于在 IIS 上运行的 Dot Net Core 2.2,当我检查应用程序中的启用 Windows 身份验证时,我遇到了 401.2 Unauthorized 的问题。这是一个非常简单的测试网站,基本上什么都不做,只是为了尝试让 Windows 身份验证工作。我终于获得了工作授权,这是您需要的:
Within Startup ConfigureServices:
在启动配置服务中:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
打开应用程序的属性,单击左侧的调试选项并确保选中启用 Windows 身份验证。
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.
但这是我忘记的关键... 配置您的系统以在 IIS 上安装 Windows 身份验证。这从未在我的机器上设置过,无论我做了什么,我总是会收到 401 未经授权的错误。安装这个(Win 10,IIS v10.0.18362.1)后,我现在得到一个登录提示。这不是我此时所需要的,但至少它不是未经授权的错误。祝你好运,希望这会有所帮助。
