HTTP.sys kerberos身份验证失败,并显示401代码

时间:2019-04-08 14:44:09

标签: authentication active-directory kerberos windows-authentication http.sys

我在Windows Server 2016上运行了Web应用程序。在此应用程序中,我使用HTTP.sys并启用了协商身份验证。我还配置了Active Directory,当我进入站点时,我看到Web浏览器获取kerberos票并将其发送到服务器。

这是客户端发送给服务器的我的票证

Negotiate YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/R/HCZKt14z4a61a6lLbfWAAgnZULHgxR+q7LepzlA9Ui9cLc4m+Gz13oDsdaaUuEXsk0SofRV34kCPDnjA4uesKxsj0ehf7KbDtDuWwjWbDsOhNXkB9iAoeyJaei33TKarQ/nLB0PqzObJe4GFZ950+Ex/9SFVnZtJkuyIAqnvYmlvTlOGE/6alIAOmaB/LGkMbXNNTtMp9UVmeWr3SaYnSdvG+uyQ6Pg9YsiTDP4nOZGxDyS13TIWju68BCDSQy4OwsQOpKDJxyx/Sjw4I9+LRxH2FQWGIFhdfTYw0/dJFlqDKh7mT7vy7O5Y4ugbcIQdCqpw0SRW4QhLZp34p4C6NSGdGovdSQvmrnMtDTqHIAY03fkiM/CdErgyPLLMwBFdvg/5CKACvqjmvB395b5l7asCUNFUU2JY61eJGNBnUou+TLqiKQ9+WV2++blTWHmM4VF0tmm0IoK60V1WJW/WYKWR9oLXiEkldy3c+Fye5qn/8qCdaZ/uf2SRQfobuNs3ZPeAw03ITMv5sKs6+qaCYAGSO4Krf8/uPQ5Z/oFE9VuTZQLpkqRzDMPsETEw9SYNZDuyIs9ygo6SPhjH5/e4tF8lJnydwMKmu+hnuaR9k603ZzdceoeaSib1rEW0N2lDbXlr3AGk8Fei2cxlJ/HvjFGNM2E+56L0SB/60Zye1LaitbwtaNmv0T+/3t/vkgQs56bSgIciIblccfwnNTiOdk2AsDjsnbwxO1rX7w+0m+KLPE2JZdVMcwK9qp7VSbZxhIIb7KHs//aBF2lNmGcuiIAI0zGhz3+OOJY3iLY4ILnqWdxZSuhxbSqdc3pwqADJpEDwtuop3FU7aeXggZb9FnPsnD6427uUJa3URf6ez/+81VPl8uZtyXJhEaurVsE476ovcdmFjlJDigys6qeVx5onajMGsj2oyscmbZzu7jBgajO/hdFU0YiJ6nU4lzkVO+FQLt653IJ+9IhPSCrldRPfb1U8G99GrWXDt709t3gWh3xRv9wE5eSDZZMkdz8RXTyG7EvPf3iBxzQJCMnR8ww1n6UA+IO9oqp0KRxuzcY7und5NEaseX9XQ5nxAdtaemq+SzK3nXVv1Fe4IepAJFM19ahrdt3zeAsJCgUbPlFYC9Vt9AGgwxgSIYOR00Atr2T29lrphhkq5xB3T5qkh8Yyiso95AsYAcjTNg5JIDzh7jfawDJvzkbwfYu1mLNzMuk28JNHIizk7Rx28r/pvf58De3qMvkvPOg+MkNOdqUdnVpLbk/pVver2VGJsoDkEqi0iZNL3u7wh59akp/Xb3XlxlrEVn1YIC9R+S59WigryrVkEn5V084VuEa3H2dv73i9/9Y+XLwZKfuyk08mta2+SudsztJ3HZwxZjj8gO5huZTRMS+W1VOselbEbE5ELHd3lctzd95jwpFTH11ZFY8hUqY4iGTytWqX9L5dtsI4no7/2oWIhs+vOgCKaSCATowggE2oAMCAReiggEtBIIBKfQ2v/IAW0nX32RRVsIGhcFG0OPJ86br4RuxUkHxZPEgNu4/vCKo5tc5AJOw7MxtN6H6nGjb9bxWtxVr41ht2thsH1aPf2Q+ytTb+4GHKLdJ4eTGNigBSW6mqkpYUdI4gA1nUdXrTxDPdv3EQGrCw8kF46M0LyX+/nSTxlIwUjSSAxKpUVkHgRo0h8bQHet7kEwKc+aDA+I21oi0UTRHP53V/BEcB+aUemLMNaRlb/rgTk7Hrc1bfED89GriTxwW4G4u6d+zb/2HW0VEq8/4RG5+BNQbGzEpem9PpLy8acrSCexhOMfi0qmoXjnZYIeliLvG1afBISf2wIFWZgOMVIRCVVqgvSHpThDbTosmktOUgN1mTv8dVjiEtd9bGZG8xvUxjVFj9kCTCg==
Negotiate oYIGJDCCBiCgAwoBAaKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/PeOWPJXLIwrvpt/aZTDV4PWnSZxOn2CI4SSdJLsr+cW3J80zBspFqb5Mw71hN7wGMtEs4+PS4fSKIl0ax3DPGzxN0b4DazI77m9WdlhBJMBwTl+A4OuxL4CifKCG5FEzqp9ojyDf9Dofpi2RIJWqZcV+S5svguNAczLGCLGMI///l0ukWfuuj2g+1HjK5A2U95NtwWINKwOfn4qEWdTVpZSK8ebB09S0dnabRJSUVN3gTS7ci1AibgMJ6dKuyZeMX0MR/+Byke8ukXEVHSTLuiqophTWYefjNHboSmJSk1CZKDXOCqnWdikDQ+H4+UaaOt+alTCXqu576yLeJ/lj9h+pYxzXm71XKhzF8YrGTxNUCIOZDY9nckaV3GeHCeavJnKdOB3s0uigutQlRBRtCMCyJ8+aTHU8s3/L/yJ2TDBDSPGjdq5tTv+7kkvmxJ9P5YZfPEzLMUzfstunPamvzoPJgo2ldyNPx4wncC6jhuoeEzG0ieNEAGMLjxAFlNmfeomWlLx67ZpeSXRTmTojWAYKKhw7Sqd74pr/ph4Tt8w2VWbZDA4Rru54mTb6LHRtvzqIO7a9gQiG29TsoyKtqtDU9MrOqJQAgfC+y3Zn6z/Ct4gBhyVnTStp4SM851Yl4WXpY+0pEedRZeNWtNDpmyhRrJ4sKuy0cJFbW+Q6D8u8N6KWMH42qOE92UEYTwgK31zLg5Pd3CvrzUzx6sOoIMOJRTrObQ2OEOsZerLaQY8Dznq901ZsLculzk+7czak9D9c6Rm4Ggwmu/to3kL+zO9991+ynWIvb0qEb16sgxTri9ONjVLOMhCdzx7HFp38qoQgCJTIZ/MhftwdC2bRVjAklvqLJypsg3r6opdwjd9IWSVZ0ZmLK5PuNDRxhafcl3NWpTFA3qYRO4m4kC+8n9aEV/fqWUcc5bP7BwWAuUkfHF5nl2vxAMLuXuGCKSoqIyJ9KD4uQp9WFZj2qfjFELNI3tESXCrCMbfIBQXeW/fp9kvehCeS2EDnFpiXdoS1gh6Db1qBigRP/Xq8FAfj0TnLxl7wXvjoTV+T40IyKHsMBtgzii47VmFxGIq09MFIqn7xSfEp7V9S83AaH9Oqp639Z+oP2lmO/9aTzG2klped9ZgT3OGLbiV8bsFnQRzFETv9JvF34NIednyyE8nDWPfrw6S92SKFPRPSfzeWF+xXj1vAe+zezjSgXg4V0R7mVaqsRYji6ACPBEdYYIvyjXML0W4pAskPpNAoCBo+1G0o9iivTpY13nbu8xqIfBmqLxxv3NkcDO0NRpmM2TTgJ2v4oSsr/i2sVJhtO7gsYuY4Qbe0Tfa8QnybIrbpX94Q7yiJYuXhpyg9SRXVVnHdz9Xd2DN9DSKhLPpVw0aM0I5GLGEs4drqURUqw5aSbGsKQtxGhS9CABCoolOzOADOLyE5w2BSJAS9mh41RyyP/ZwPdVX70QW5SKkOLFTRSAqSCATowggE2oAMCAReiggEtBIIBKauTrgRQ1E7PNtOmQ6B+T2eorUqcb/bR9QA71bekL9dw9GfFjiFsOk6W5NCFzlQNSkQqwRY1SsQ6HPfsdnRbMPJtlu4KghRXJcxj0ltyCQnsRvQy6AaBaS9Voy9O1njxITNUakbpT750fxnqgrGpoquHAYF+SmSknllTpxScxmg7pmJKGib0gfMfvjJTU6P8WfJVm7nM+rdDSyjgHEPTGsgpfpwpt9gCMSe44Qlct9x8337T4yowplz/oT66fNwh3rfHDOyJ6gI+0asYGYIubXj6SDyefyRRgNWNSL6v6e02i3NeuADubryAy9bl63RhADjhiKIli/MpP1sH3jMPuK0mpKHeP7VnYEP1zT/QQw3d3894xT61xEKwkZWqLHtXe4Mqet2Qqyn+zg==

将第二张票证发送到服务器后,我得到响应,其中出现401错误。

我使用网络监视器和KerberosAuthenticationTester.exe进行故障排除。虽然没有帮助。

我认为我在使用http.sys内核模式身份验证时遇到麻烦。我知道http.sys是在系统帐户下运行的,我必须为其注册SPN,但我不知道如何查找其名称。

所以我有两个主要问题。首先是如何注册SPN以进行kerberos内核模式身份验证。其次是我如何解决此类问题。我找不到任何方法来查看http.sys票证验证过程的日志。

这是在我的域中注册的所有spns的列表

Object Name =  WIN-7371PG2MFIQ
DN      =       CN=WIN-7371PG2MFIQ,OU=Domain Controllers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       ldap/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 2 )   =       Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-7371PG2MFIQ.testing.com
SPN( 3 )   =       ldap/WIN-7371PG2MFIQ.testing.com/ForestDnsZones.testing.com
SPN( 4 )   =       ldap/WIN-7371PG2MFIQ.testing.com/DomainDnsZones.testing.com
SPN( 5 )   =       TERMSRV/WIN-7371PG2MFIQ
SPN( 6 )   =       TERMSRV/WIN-7371PG2MFIQ.testing.com
SPN( 7 )   =       DNS/WIN-7371PG2MFIQ.testing.com
SPN( 8 )   =       GC/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 9 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ.testing.com
SPN( 10 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ
SPN( 11 )   =       RPC/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 12 )   =       HOST/WIN-7371PG2MFIQ/TESTING
SPN( 13 )   =       HOST/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 14 )   =       HOST/WIN-7371PG2MFIQ
SPN( 15 )   =       HOST/WIN-7371PG2MFIQ.testing.com
SPN( 16 )   =       HOST/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 17 )   =       E3514235-4B06-11D1-AB04-00C04FC2DCD2/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035/testing.com
SPN( 18 )   =       ldap/WIN-7371PG2MFIQ/TESTING
SPN( 19 )   =       ldap/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 20 )   =       ldap/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 21 )   =       ldap/WIN-7371PG2MFIQ
SPN( 22 )   =       ldap/WIN-7371PG2MFIQ.testing.com

Object Name =  DESKTOP-8727TGP
DN      =       CN=DESKTOP-8727TGP,CN=Computers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       TERMSRV/DESKTOP-8727TGP
SPN( 2 )   =       TERMSRV/DESKTOP-8727TGP.testing.com
SPN( 3 )   =       RestrictedKrbHost/DESKTOP-8727TGP
SPN( 4 )   =       HOST/DESKTOP-8727TGP
SPN( 5 )   =       RestrictedKrbHost/DESKTOP-8727TGP.testing.com
SPN( 6 )   =       HOST/DESKTOP-8727TGP.testing.com

Object Name =  containerhost
DN      =       CN=containerhost,CN=Managed Service Accounts,DC=testing,DC=com
Object Cat. =  CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       HTTP/containerhost1.domain.test

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

Object Name =  krbtgt
DN      =       CN=krbtgt,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       kadmin/changepw

1 个答案:

答案 0 :(得分:0)

您已将SPN附加到Admin用户。 Kerberos通过将票证加密为附加了SPN的主体(用户)的密钥(密码)来工作。这意味着它已加密给Admin用户。

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

您的IIS服务器不知道用户密码,因此无法解密票证。

您需要做的是从Admin用户中删除SPN,并将其添加到运行IIS的计算机主体中。请注意,必须先将其删除,然后才能将其添加到另一个主体中。