Kerberos，模拟会导致500错误

Question

尝试让kerberos工作。

查看wireshark输出，将Windows用户名传递给我的测试脚本，但是当我在IIS中打开模拟时，我收到500内部服务器错误。

脚本如下：

<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%
WebClient client = new WebClient();
string downloadString = client.DownloadString("http://10.6.2.117/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?%24id=1&StartIndex=0&PageLength=10");

Response.Write(downloadString);
%>

我可以通过浏览器直接访问网址，没有任何问题。

关闭模拟后，我得到以下wireshark输出（第8行显示用户名）：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59546 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000092","10.6.2.105","10.21.4.3","TCP","66","7001 → 59546 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.017328","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019120","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.104296","10.6.2.105","10.21.4.3","HTTP","1940","HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)"
"6","0.123311","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1261 Win=262144 Len=0"
"7","0.123314","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1887 Win=261376 Len=0"
"8","0.125557","10.21.4.3","10.6.2.105","HTTP","624","GET /test.aspx HTTP/1.1 , NTLMSSP_AUTH, User: EMEA\xxxxxx"
"9","0.183273","10.6.2.105","10.21.4.3","TCP","3834","[TCP segment of a reassembled PDU]"
"10","0.203950","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=3147 Win=262144 Len=0"
"11","0.203953","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=4407 Win=262144 Len=0"
"12","0.203955","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=5667 Win=262144 Len=0"
"13","0.204018","10.6.2.105","10.21.4.3","HTTP","2389","HTTP/1.1 500 Internal Server Error  (text/html)"
...

打开模仿，我得到（第4行 - 没有用户名）：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59648 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000111","10.6.2.105","10.21.4.3","TCP","66","7001 → 59648 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.018178","10.21.4.3","10.6.2.105","TCP","60","59648 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019833","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.111015","10.6.2.105","10.21.4.3","HTTP","1466","HTTP/1.1 500 Internal Server Error  (text/html)"
...

任何帮助将不胜感激

Answer 1

在经过多次摆弄和六位工作人员的参与后，我们最终到达那里。

所以，如果它对其他人有用，这里有一些有用的发现：

1. 确保FQDN用于所有URL，即客户端浏览器中的URL，以及第一个Web服务器调用的URL到第二个。

2. IIS应用程序池设置：

   • 托管渠道=集成
   • Identity = ApplicationPoolIdentity（其他选项也可以使用）

3. IIS身份验证设置：

   • 匿名身份验证=已停用
   • ASP .NET Impersonation =已启用
   • 基本身份验证=已停用
   • 表单身份验证=已禁用
   • Windows身份验证=已启用
     • 高级设置：
     • 扩展保护=关闭
     • 启用内核模式身份验证=关闭
     • 提供商：必须按此顺序排列。不要只启用“协商”选项。
       • 协商：Kerberos的
       • NTLM

最后，一个不同的测试脚本：

<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.IO" %>
<%
// The service we wish to consume
string uri = "http://eu9992k8dvweb01.emea.world.net/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?StartIndex=0&PageLength=10";

//Create web request
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(uri);  

//Create credential cache
CredentialCache myCredCache = new CredentialCache();
myCredCache.Add(new Uri(uri), "Negotiate", (NetworkCredential)CredentialCache.DefaultCredentials);

//Add credentials to web request
req.Credentials = myCredCache;
req.Proxy = null;

// create somewhere for the response to go
HttpWebResponse httpResponse = null;

// now use the request
try
{
    // get the requested page
    httpResponse = (HttpWebResponse)req.GetResponse();

    // output what was returned
    using (StreamReader streamReader = new StreamReader(httpResponse.GetResponseStream()))
    {
        Response.Write(streamReader.ReadToEnd());
    }
}
finally
{
    // close the response object
    if (httpResponse != null)
        httpResponse.Close();
}
%>