Windows身份验证在本地IIS 7.5上不起作用.错误401.1
本文关键字:不起作用 错误 身份验证 IIS Windows | 更新日期: 2023-09-27 18:21:04
我最近在ASP.net 4.0网站上获取IIS 7.5(Windows 7 Pro)的本地实例的Windows身份验证时遇到了一个严重问题。我遵循了基本步骤。
IIS身份验证
- 禁用匿名身份验证
- 启用Windows身份验证
编辑web.config
<authentication mode="Windows" />
这在启用Windows身份验证方面做得很好,但每次登录尝试都被拒绝,最终返回401.1错误。这就是问题的根源。造成这种情况的原因似乎有很多,在网络上都有很好的记录,包括这里的Stack Overflow。
我试过了:
- 编辑Windows身份验证的IIS身份验证"高级设置"以禁用扩展保护和内核模式身份验证
- 编辑IIS身份验证"提供程序"以将NTLM移动到协商之上
- 编辑IIS.NET授权规则以明确允许用户(以及各种其他组合)
- 各种IIS命令行脚本和调整
- web.config文件中的各种配置调整
- 甚至还有一些文件系统权限调整
但一切都无济于事,可怕的401.1仍然存在。
这确实是一个"以木见木"的例子。我设法找到的解决方案(如果你愿意的话,可以称之为糟糕的搜索参数)都不适合我,所以我认为值得发布这个问题,希望能为任何遇到同样问题的人提供一个更容易找到的明确答案。
这里的问题是,现代版本的Windows(Windows XP SP2、Windows Server 2003 SP1及更高版本)包含环回检查安全功能,旨在帮助防止对您的计算机进行反射攻击。因此,如果您使用的FQDN或自定义主机标头与本地计算机名不匹配,则身份验证将失败。
这可以通过显式指定主机名或禁用环回检查来解决。显然,前者是更受控制的方法。
- 将DisableStrictNameChecking注册表项设置为1。请参阅:281308(注意:对于Windows Server 2008/Vista及更高版本,这应该是不必要的)
- 在注册表编辑器中,找到并单击以下注册表项:HKEY_LOCAL_MACHINE''SYSTEM''CurrentControlSet''Control''Lsa''MSV1_0
- 右键单击MSV1_0,指向"新建",然后单击"多字符串值"
- 键入BackConnectionHostNames,然后按ENTER
- 右键单击BackConnectionHostNames,然后单击Modify
- 在"值"数据框中,键入主机名或本地计算机上站点的主机名,然后单击"确定"
- 退出注册表编辑器,然后重新启动IISAdmin服务
如何做到这一点的全部细节可以在MSDN上找到:896861
希望这能帮助到别人。如果您有其他建议或改进,请添加。
我想添加Michael Dark的评论作为答案,因为我没有修改注册表的权限,所以Pete的答案对我不起作用,但我能够解决问题。
我通过向我的网站添加一个新的绑定来解决这个问题,该绑定没有指定主机名和一个不同的端口(因为localhost:80对我来说是使用的)。我一试着从http://localhost:86/mypage,它起了作用。在浏览器中快速检查后,我用cURL测试了几次,它正确地接受和拒绝了我的凭据。
再次重新安装IIS功能,并确保已选中WINDOWS auth复选框。
以下是我用来处理反向连接主机名和IIS的PowerShell代码。请注意,只需做一点工作,commandlet就可以保存到一个模块中并以这种方式使用。
Import-Module WebAdministration
function Add-BackConnectionHostname
{
<#
.SYNOPSIS
Adds the back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Adds the hostname to the list of back connection hostnames that will bypass the server loopback check. Back connection host names
can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861.
.EXAMPLE
Add-BackConnectionHostname mywebsite.mydomain.tld
.EXAMPLE
Add-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld
.PARAMETER Hostname
The Hostname to add to the back connection hostnames list.
.LINK
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
[string] $Hostname
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa'MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
$propertyValues = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
$property = New-ItemProperty $keyPath -Name $propertyName -Value $null -PropertyType ([Microsoft.Win32.RegistryValueKind]::MultiString) -ErrorAction Stop
Write-Verbose "Created the $($propertyName) property."
}
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
}
}
process
{
if ($property -ne $null)
{
foreach ($hostNameValue in $Hostname)
{
if ([string]::IsNullOrWhiteSpace($hostName) -eq $false -and $propertyValues -notcontains $hostNameValue)
{
$propertyValues += $hostNameValue
Write-Verbose "Added $($hostName) to the back connection hostnames."
}
else
{
Write-Verbose "Back connection host names already has an entry for $($hostName)."
}
}
}
}
end
{
if ($propertyValues -ne $null)
{
$propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique
Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues
}
}
}
function Remove-BackConnectionHostname
{
<#
.SYNOPSIS
Removes the hostname from the list of back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Removes the hostname from the list of back connection hostnames that will bypass the server loopback check.
.EXAMPLE
Remove-BackConnectionHostname mywebsite.mydomain.tld
.EXAMPLE
Remove-BackConnectionHostname mywebsite1.mydomain.tld, mywebsite2.mydomain.tld
.PARAMETER Hostname
The Hostname to remove from the back connection hostnames list.
.LINK
Add-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
[Parameter(ValueFromPipeline = $true, Mandatory = $true)]
[string] $Hostname
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa'MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
$propertyValues = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
else
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
foreach ($hostNameValue in $Hostname)
{
if ($propertyValues -contains $hostNameValue)
{
$propertyValues = $propertyValues | ? { $_ -ne $hostName }
Write-Verbose "Removed $($hostName) from the $($propertyName) property."
}
else
{
Write-Verbose "No entry for $($hostName) was found in the $($propertyName) property."
}
}
}
}
end
{
if ($property -ne $null)
{
$propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique
if ($propertyValues.Length -ne 0)
{
Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues
}
else
{
Remove-ItemProperty $keyPath -Name $propertyName
Write-Verbose "No entries remain after removing $($hostName). The $($propertyName) property was removed."
}
}
}
}
function Get-BackConnectionHostname
{
<#
.SYNOPSIS
Gets the list of back connection hostnames that will bypass the server loopback check.
.DESCRIPTION
Gets the back connection hostnames that will bypass the server loopback check. Back connection host names can be used to address
the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861.
.EXAMPLE
Get-BackConnectionHostname
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa'MSV1_0"
$propertyName = "BackConnectionHostnames"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
$propertyValues = $null
if ($property -ne $null)
{
$propertyValues = $property.$propertyName
}
return $propertyValues
}
end
{
}
}
function Enable-ServerLoopbackCheck
{
<#
.SYNOPSIS
Enables the server loopback check. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Enables the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address
the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details.
.EXAMPLE
Enable-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
Set-ItemProperty $keyPath -Name $propertyName -Value 0
}
}
end
{
}
}
function Disable-ServerLoopbackCheck
{
<#
.SYNOPSIS
Disables the server loopback check for all hostnames. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Disables the server loopback check for all hostnames. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used
to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details.
.EXAMPLE
Disable-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Get-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $true)]
param
(
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
if ($property -eq $null)
{
Write-Verbose "The $($propertyName) property was not found."
}
}
}
process
{
if ($property -ne $null)
{
Set-ItemProperty $keyPath -Name $propertyName -Value 1
}
else
{
$property = New-ItemProperty $keyPath -Name $propertyName -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Value 1
}
}
end
{
}
}
function Get-ServerLoopbackCheck
{
<#
.SYNOPSIS
Gets the status of the server loopback check. Enabled is the normal state for a Windows Server.
.DESCRIPTION
Gets the status of the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used
to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for
more details.
.EXAMPLE
Get-ServerLoopbackCheck
.LINK
Add-BackConnectionHostname
Remove-BackConnectionHostname
Get-BackConnectionHostname
Enable-ServerLoopbackCheck
Disable-ServerLoopbackCheck
"You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861)
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
)
begin
{
$keyPath = "HKLM:'SYSTEM'CurrentControlSet'Control'Lsa"
$propertyName = "DisableLoopbackCheck"
$key = Get-Item $keyPath
$property = $null
if ($key -ne $null)
{
$property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue
}
}
process
{
$loopbackCheckStatus = "Enabled"
if ($property -ne $null)
{
switch ($property)
{
0 { $loopbackCheckStatus = "Enabled" }
1 { $loopbackCheckStatus = "Disabled" }
default { $loopbackCheckStatus = "Unknown" }
}
}
return $loopbackCheckStatus
}
end
{
}
}
function Get-WebsiteHostname
{
<#
.SYNOPSIS
Gets the hostnames for the IP addresses bound to a web site.
.DESCRIPTION
Gets the hostnames for the IP addresses bound to a web site. Where a host header exists, the host header is used; otherwise, the IP address is looked up
in DNS to see if a PTR record exists.
.EXAMPLE
Get-WebSiteHostname $webSite
.EXAMPLE
Get-WebSiteHostname -Name 'Default Web Site'
.EXAMPLE
Get-Website | Get-WebSiteHostname
.LINK
Get-Website
#>
[CmdletBinding(SupportsShouldProcess = $false)]
param
(
[Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)]
[string] $Name
)
process
{
$siteHostnames = @()
foreach ($webSiteName in $Name)
{
$bindings = Get-WebBinding -Name $Name
foreach ($binding in $bindings)
{
$bindingInfo = $binding.bindingInformation.Split(':')
$hostHeader = $bindingInfo[2]
$bindingInfoAddress = $null
$isValidIP = [System.Net.IPAddress]::TryParse($bindingInfo[0], [ref] $bindingInfoAddress)
$siteHostname = $null
if ($bindingInfo -eq '*')
{
Write-Warning "The $($webSiteName) web site has a binding address set to All Unassigned."
}
elseif ([string]::IsNullOrWhiteSpace($hostHeader) -eq $false)
{
$siteHostname = $hostHeader
Write-Verbose "The $($webSiteName) web site has a host header set to $($siteHostname)."
}
elseif ($isValidIP -eq $true)
{
$siteHostname = (Resolve-DnsName $bindingInfoAddress -DnsOnly PTR -ErrorAction SilentlyContinue).NameHost
if ($siteHostname -ne $null)
{
Write-Verbose "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) that resolves to $($siteHostname)."
}
else
{
Write-Warning "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) with no PTR record."
}
}
}
if ($siteHostname -ne $null)
{
$siteHostnames += $siteHostname
}
}
return $siteHostnames | Sort -Unique
}
}
Get-Website | ?{ (Get-WebConfiguration -Filter '/system.web/authentication' -PSPath $_.PSPath).mode -eq 'Windows' } | Get-WebsiteHostname | Add-BackConnectionHostname