I have two sites, A and B. A consumes an API that B exposes, and B requires Windows authentication. Both sites live in Domain D.
我有两个站点,A和B. A使用B公开的API,B需要Windows身份验证。这两个站点都位于域D.
The API is consumed via HttpClient, and when site A is run locally, under my domain account (which is in Domain P), access is granted. In this case, HttpClient is instantiated like so:
API通过HttpClient使用,当站点A在本地运行时,在我的域帐户(在域P中)下,授予访问权限。在这种情况下,HttpClient实例化如下:
using(var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials: true }))
When A is deployed to a testing server, the above results in a 401 Unauthorized response. The application pool on the testing server is running under a service account in domain D.
当A部署到测试服务器时,上面会导致401 Unauthorized响应。测试服务器上的应用程序池在域D中的服务帐户下运行。
When explicitly using that service account like this:
明确使用该服务帐户时,如下所示:
var credential = new NetworkCredential("service-account", "password", "D");
var cache = new CredentialCache
{
{
new Uri(apiServerUri), "NTLM", credential
}
};
var handler = new HttpClientHandler
{
Credentials = cache
};
using(var client = new HttpClient(handler))
...
And again running site A locally, access is still granted. Access is also granted when accessing the API directly via browser, and specifying the service account credentials. Logs indicate that it is definitely the service account being used to access the API.
再次在本地运行站点A,仍然可以访问。直接通过浏览器访问API并指定服务帐户凭据时,也会授予访问权限。日志表明它绝对是用于访问API的服务帐户。
Deploying the above back to the testing server still results in 401 Unauthorized.
将上述部署回测试服务器仍然会导致401 Unauthorized。
Deploying site A to a local instance of IIS, also successfully consumes the API of B.
将站点A部署到IIS的本地实例,也成功使用了B的API。
Running site B locally, and then accessing it via site A locally, results in a 401 Unauthorized.
在本地运行站点B,然后在本地通过站点A访问它,导致401 Unauthorized。
Accessing the API through a browser on the testing server where A is deployed, and specifying the service account credentials, also gives a 401 Unauthorized.
通过部署A的测试服务器上的浏览器访问API,并指定服务帐户凭据,也会提供401 Unauthorized。
I'm not sure where to go from here - am I missing something in the code to get this working? Or is it likely to be an IIS or AD issue?
我不确定从哪里开始 - 我在代码中遗漏了一些东西以使其正常工作吗?或者它可能是IIS或AD问题?
1 个解决方案
#1
6
While I'm yet to determine exactly why this work around works, or if there is a better way of doing it (because this feels clunky), the following has allowed A to connect to B, when both are sitting on the same server.
虽然我还没确定为什么这个工作有效,或者有更好的方法(因为这感觉很笨)),当两者都坐在同一台服务器上时,以下允许A连接到B.
Site B has had an additional host binding setup in IIS, to listen on localhost:12345. Site A has been configured to connect to that endpoint, rather than the domain name for Site B. Authentication is now working correctly.
站点B在IIS中有一个额外的主机绑定设置,以侦听localhost:12345。站点A已配置为连接到该端点,而不是站点B的域名。身份验证现在可以正常工作。
I would be interested if anyone can explain why this is the case - I dislike 'magic' fixes.
如果有人能解释为什么会这样,我会感兴趣 - 我不喜欢'魔术'修复。
edit It would seem that this kb article is a likely cause for this behavior. Specifically:
编辑看起来这篇kb文章可能是造成这种行为的原因。特别:
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address
当您使用完全限定域名(FQDN)或自定义主机标头浏览运行Microsoft Internet信息服务(IIS)5.1或更高版本的计算机上承载的本地网站时,您可能会收到一条错误消息类似于以下内容:HTTP 401.1 - 未授权:登录失败当网站使用集成身份验证并具有映射到本地环回地址的名称时,会出现此问题
and
Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
因此,如果您使用的FQDN或自定义主机标头与本地计算机名称不匹配,则身份验证将失败。
Registry modifications aren't really an option on these servers, so looks like the work around is what we will be using.
注册表修改在这些服务器上并不是一个真正的选项,因此看起来就像我们将要使用的那样。
#1
6
While I'm yet to determine exactly why this work around works, or if there is a better way of doing it (because this feels clunky), the following has allowed A to connect to B, when both are sitting on the same server.
虽然我还没确定为什么这个工作有效,或者有更好的方法(因为这感觉很笨)),当两者都坐在同一台服务器上时,以下允许A连接到B.
Site B has had an additional host binding setup in IIS, to listen on localhost:12345. Site A has been configured to connect to that endpoint, rather than the domain name for Site B. Authentication is now working correctly.
站点B在IIS中有一个额外的主机绑定设置,以侦听localhost:12345。站点A已配置为连接到该端点,而不是站点B的域名。身份验证现在可以正常工作。
I would be interested if anyone can explain why this is the case - I dislike 'magic' fixes.
如果有人能解释为什么会这样,我会感兴趣 - 我不喜欢'魔术'修复。
edit It would seem that this kb article is a likely cause for this behavior. Specifically:
编辑看起来这篇kb文章可能是造成这种行为的原因。特别:
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address
当您使用完全限定域名(FQDN)或自定义主机标头浏览运行Microsoft Internet信息服务(IIS)5.1或更高版本的计算机上承载的本地网站时,您可能会收到一条错误消息类似于以下内容:HTTP 401.1 - 未授权:登录失败当网站使用集成身份验证并具有映射到本地环回地址的名称时,会出现此问题
and
Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
因此,如果您使用的FQDN或自定义主机标头与本地计算机名称不匹配,则身份验证将失败。
Registry modifications aren't really an option on these servers, so looks like the work around is what we will be using.
注册表修改在这些服务器上并不是一个真正的选项,因此看起来就像我们将要使用的那样。