一台电脑不属于域的一部分(但在网络上)验证对通过IIS8发布的Web站点,该站点的认证是Windows身份验证只与单一供应商可以协商: Kerberos的(和禁用内核模式身份验证)?
Can a computer that is NOT a part of the domain (but is on the network) authenticate against to a web site published by IIS8 where the authentication for that site is "Windows Authentication" only with a single provider of "Negotiate:Kerberos" (and with Kernel-mode authentication disabled)?
我问,因为我想就是这样做的,但我不能让过去的身份验证的网站(尚未单独试图验证传递给数据库)。我看到WWW验证:谈判头的响应到客户端,而客户端永远只能似乎发送NTLM类型1:谈判(NTLMSSP)在随后(重新)请求。如果不是这样,我是跨preting从Fiddler2的结果不正确!
I ask because I am trying to do just this, but I cannot get past the authentication to the site (yet alone trying to pass the authentication to the database). I see the "WWW-Authenticate: Negotiate" header on the response to the client, but the client only ever seems to send a "NTLM Type1: Negotiation" (NTLMSSP) in the subsequent (re)requests. Either that or I am interpreting the results from Fiddler2 incorrectly!
我使用Kerberos作为大部分客户会域的计算机,我需要从Web应用程序传递用户凭据到数据库中。我希望我能够与非域计算机做同样的,他们只会提示输入用户名/域/密码将被验证,并转换为Kerberos票据的服务器上。
I am using Kerberos as most of the clients will be domain computers and I need to pass user credentials from the web application back to the database. I was hoping that I would be able to do the same with non-domain computers and they would simply be prompted for a username/domain/password that would be validated and converted to a Kerberos ticket on the server.
请注意,对于测试的目的,视窗8是在服务器和客户端。在生产中,服务器将的Windows 2008 R2服务器和客户端将是主要的Windows 7(虽然会有一些Windows 8的客户端)。
Note that for testing purposes, Windows 8 is both the server and the client. In production, the server will be Windows 2008 Server R2 and the client will be primarily Windows 7 (though there will be some Windows 8 clients).
推荐答案
Kerberos的意志的不可以应收/计算机不属于域的一部分工作。 你有两个选择才达到你的目标:
Kerberos will not work on accounts/computers which are not part of the domain. You have two options to achive your goal:
在请求与基本身份验证的用户数据,并传递给 LogonUserEx
。请参见这的答案。
验证通过其他方式对用户和使用 S4U2self (协议转换)。
Request the user data with Basic auth and pass that to LogonUserEx
. See this for answers.
Authenticate the user by other means and use S4U2self (protocol transition).相关推荐
最新文章