Kerberos，模拟导致 500 错误

Question

正在尝试让 kerberos 工作。

查看 wireshark 输出，windows 用户名已传递到我的测试脚本，但是当我在 IIS 中打开模拟时，出现 500 内部服务器错误。

脚本如下：

<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%
WebClient client = new WebClient();
string downloadString = client.DownloadString("http://10.6.2.117/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?%24id=1&StartIndex=0&PageLength=10");

Response.Write(downloadString);
%>

我可以通过浏览器直接访问 url，没有任何问题。

关闭模拟后，我得到以下 wireshark 输出（第 8 行显示用户名）：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59546 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000092","10.6.2.105","10.21.4.3","TCP","66","7001 → 59546 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.017328","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019120","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.104296","10.6.2.105","10.21.4.3","HTTP","1940","HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)"
"6","0.123311","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1261 Win=262144 Len=0"
"7","0.123314","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1887 Win=261376 Len=0"
"8","0.125557","10.21.4.3","10.6.2.105","HTTP","624","GET /test.aspx HTTP/1.1 , NTLMSSP_AUTH, User: EMEA\xxxxxx"
"9","0.183273","10.6.2.105","10.21.4.3","TCP","3834","[TCP segment of a reassembled PDU]"
"10","0.203950","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=3147 Win=262144 Len=0"
"11","0.203953","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=4407 Win=262144 Len=0"
"12","0.203955","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=5667 Win=262144 Len=0"
"13","0.204018","10.6.2.105","10.21.4.3","HTTP","2389","HTTP/1.1 500 Internal Server Error  (text/html)"
...

启用模拟后，我得到（第 4 行 - 无用户名）：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59648 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1"
"2","0.000111","10.6.2.105","10.21.4.3","TCP","66","7001 → 59648 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
"3","0.018178","10.21.4.3","10.6.2.105","TCP","60","59648 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0"
"4","0.019833","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE"
"5","0.111015","10.6.2.105","10.21.4.3","HTTP","1466","HTTP/1.1 500 Internal Server Error  (text/html)"
...

如有任何帮助，我们将不胜感激

Answer 1

好吧，在六名工作人员的参与下，经过多次摆弄，我们最终到达了那里。

因此，如果它对其他人有用，这里有一些有用的发现：

1. 确保 FQDN 用于所有 URL，即在客户端浏览器中，以及由第一个 Web 服务器调用到第二个 Web 服务器的 URL .

2. IIS 应用程序池设置：

   • 托管管道 = 集成
   • Identity = ApplicationPoolIdentity（其他选项也可以）

3. IIS 身份验证设置：

   • 匿名身份验证 = 禁用
   • ASP .NET 模拟 = 已启用
   • 基本身份验证 = 禁用
   • 表单身份验证 = 已禁用
   • Windows 身份验证 = 已启用
     • 高级设置：
     • 扩展保护 = 关闭
     • 启用内核模式身份验证 = 关闭
     • 提供商：必须按此顺序。不要只启用“协商”选项。
       • 协商：Kerberos
       • NTLM

最后，一个不同的测试脚本：

<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.IO" %>
<%
// The service we wish to consume
string uri = "http://eu9992k8dvweb01.emea.world.net/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?StartIndex=0&PageLength=10";

//Create web request
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(uri);  

//Create credential cache
CredentialCache myCredCache = new CredentialCache();
myCredCache.Add(new Uri(uri), "Negotiate", (NetworkCredential)CredentialCache.DefaultCredentials);

//Add credentials to web request
req.Credentials = myCredCache;
req.Proxy = null;

// create somewhere for the response to go
HttpWebResponse httpResponse = null;

// now use the request
try
{
    // get the requested page
    httpResponse = (HttpWebResponse)req.GetResponse();

    // output what was returned
    using (StreamReader streamReader = new StreamReader(httpResponse.GetResponseStream()))
    {
        Response.Write(streamReader.ReadToEnd());
    }
}
finally
{
    // close the response object
    if (httpResponse != null)
        httpResponse.Close();
}
%>