Kerberos, impersonate导致500错误
本文关键字:错误 导致 impersonate Kerberos | 更新日期: 2023-09-27 17:52:13
试图让kerberos工作。
查看wireshark输出,windows用户名传递给我的测试脚本,但是当我在IIS中打开impersonate时,我得到一个500内部服务器错误。
脚本如下:
<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%
WebClient client = new WebClient();
string downloadString = client.DownloadString("http://10.6.2.117/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?%24id=1&StartIndex=0&PageLength=10");
Response.Write(downloadString);
%>
我可以通过浏览器直接访问url,没有问题。
关闭impersonate后,我得到以下wireshark输出(第8行显示用户名):
"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59546 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000092","10.6.2.105","10.21.4.3","TCP","66","7001 → 59546 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.017328","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019120","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.104296","10.6.2.105","10.21.4.3","HTTP","1940","HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)"
"6","0.123311","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1261 Win=262144 Len=0"
"7","0.123314","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1887 Win=261376 Len=0"
"8","0.125557","10.21.4.3","10.6.2.105","HTTP","624","GET /test.aspx HTTP/1.1 , NTLMSSP_AUTH, User: EMEA'xxxxxx"
"9","0.183273","10.6.2.105","10.21.4.3","TCP","3834","[TCP segment of a reassembled PDU]"
"10","0.203950","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=3147 Win=262144 Len=0"
"11","0.203953","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=4407 Win=262144 Len=0"
"12","0.203955","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=5667 Win=262144 Len=0"
"13","0.204018","10.6.2.105","10.21.4.3","HTTP","2389","HTTP/1.1 500 Internal Server Error (text/html)"
...
打开impersonate后,我得到(第4行-没有用户名):
"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59648 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000111","10.6.2.105","10.21.4.3","TCP","66","7001 → 59648 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.018178","10.21.4.3","10.6.2.105","TCP","60","59648 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019833","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.111015","10.6.2.105","10.21.4.3","HTTP","1466","HTTP/1.1 500 Internal Server Error (text/html)"
...
如有任何帮助,不胜感激
在六名工作人员的参与下,经过一番折腾,我们最终达成了目标。
所以,如果对其他人有用,这里有一些有用的发现:
-
确保FQDN用于所有URL,即在客户端浏览器中,以及由第一个web服务器调用到第二个web服务器的URL。
-
IIS应用程序池设置:
- 管理管道=集成
- Identity = ApplicationPoolIdentity(其他选项也可以)
-
IIS Authentication Settings:
- 匿名认证=关闭
- asp.net模拟=已启用
- 基本认证=已禁用
- Forms Authentication = Disabled
- Windows身份验证=启用
- 高级设置:
- 扩展保护=关闭
- 启用内核模式认证=关闭
- 提供程序:必须是这个顺序。不要只启用"协商"选项。
- 谈判:Kerberos
- NTLM
最后,一个不同的测试脚本:
<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.IO" %>
<%
// The service we wish to consume
string uri = "http://eu9992k8dvweb01.emea.world.net/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?StartIndex=0&PageLength=10";
//Create web request
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(uri);
//Create credential cache
CredentialCache myCredCache = new CredentialCache();
myCredCache.Add(new Uri(uri), "Negotiate", (NetworkCredential)CredentialCache.DefaultCredentials);
//Add credentials to web request
req.Credentials = myCredCache;
req.Proxy = null;
// create somewhere for the response to go
HttpWebResponse httpResponse = null;
// now use the request
try
{
// get the requested page
httpResponse = (HttpWebResponse)req.GetResponse();
// output what was returned
using (StreamReader streamReader = new StreamReader(httpResponse.GetResponseStream()))
{
Response.Write(streamReader.ReadToEnd());
}
}
finally
{
// close the response object
if (httpResponse != null)
httpResponse.Close();
}
%>