Kerberos、偽装により500のエラーが発生する

Question

ケルベロスを動かそうとしています。

wiresharkの出力を見ると、Windowsのユーザー名がテストスクリプトに渡されますが、IISで偽装をオンにすると500の内部サーバーエラーが発生します。次のように

スクリプトは次のとおりです。

<%@ Page Language="C#" Debug="true" %> 
<%@ Import Namespace="System.Net" %> 
<% 
WebClient client = new WebClient(); 
string downloadString = client.DownloadString("http://10.6.2.117/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?%24id=1&StartIndex=0&PageLength=10"); 

Response.Write(downloadString); 
%> 

私は何の問題もなく、ブラウザ経由で直接URLにアクセスすることができます。偽装して

は、私は（8行目は、ユーザ名を示して）次のwireshark出力を得るオフ：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59546 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1" 
"2","0.000092","10.6.2.105","10.21.4.3","TCP","66","7001 → 59546 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1" 
"3","0.017328","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0" 
"4","0.019120","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE" 
"5","0.104296","10.6.2.105","10.21.4.3","HTTP","1940","HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)" 
"6","0.123311","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1261 Win=262144 Len=0" 
"7","0.123314","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=351 Ack=1887 Win=261376 Len=0" 
"8","0.125557","10.21.4.3","10.6.2.105","HTTP","624","GET /test.aspx HTTP/1.1 , NTLMSSP_AUTH, User: EMEA\xxxxxx" 
"9","0.183273","10.6.2.105","10.21.4.3","TCP","3834","[TCP segment of a reassembled PDU]" 
"10","0.203950","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=3147 Win=262144 Len=0" 
"11","0.203953","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=4407 Win=262144 Len=0" 
"12","0.203955","10.21.4.3","10.6.2.105","TCP","60","59546 → 7001 [ACK] Seq=921 Ack=5667 Win=262144 Len=0" 
"13","0.204018","10.6.2.105","10.21.4.3","HTTP","2389","HTTP/1.1 500 Internal Server Error (text/html)" 
... 

偽装で、私は（ライン4 - なしのユーザー名）を取得し、オン：

"1","0.000000","10.21.4.3","10.6.2.105","TCP","66","59648 → 7001 [SYN] Seq=0 Win=65535 Len=0 MSS=1260 WS=256 SACK_PERM=1" 
"2","0.000111","10.6.2.105","10.21.4.3","TCP","66","7001 → 59648 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1" 
"3","0.018178","10.21.4.3","10.6.2.105","TCP","60","59648 → 7001 [ACK] Seq=1 Ack=1 Win=262144 Len=0" 
"4","0.019833","10.21.4.3","10.6.2.105","HTTP","404","GET /test.aspx HTTP/1.1 , NTLMSSP_NEGOTIATE" 
"5","0.111015","10.6.2.105","10.21.4.3","HTTP","1466","HTTP/1.1 500 Internal Server Error (text/html)" 
... 

どんな助けもありがたいです

Answer 1

私たちは多くの手品を払って6人のスタッフが関わったところで終わりました。

1. FQDNは、すべてのURLに使用されていることを確認したURLだけでなく、クライアントのブラウザで両方、すなわち：

   ので、場合には、それは誰に使用のものであり、ここではいくつかの有用な調査結果です第1のウェブサーバによって第2のウェブサーバによって呼び出される。

2. IISアプリケーションプールの設定：

   • マネージパイプライン=統合
   • アイデンティティ= ApplicationPoolIdentity（他のオプションも動作可能）

3. IIS認証の設定：

   • 匿名認証=無効
   • ASP .NET偽装=有効
   • 基本認証=無効
   • フォーム認証=無効
   • Windows認証=有効
     • 詳細設定：
     • 拡張保護はオフ
     • カーネルを有効にします= -mode authentication = Off
     • プロバイダー：この順序にする必要があります。 「交渉」オプションだけを有効にしないでください。
       • はネゴシエート：Kerberosを
       • NTLM

そして最後に、異なるテストスクリプト：

<%@ Page Language="C#" Debug="true" %> 
<%@ Import Namespace="System.Net" %> 
<%@ Import Namespace="System.IO" %> 
<% 
// The service we wish to consume 
string uri = "http://eu9992k8dvweb01.emea.world.net/DEV/api/1.5.12077.001/en-GB/8/56/Incident/GetList?StartIndex=0&PageLength=10"; 

//Create web request 
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(uri); 

//Create credential cache 
CredentialCache myCredCache = new CredentialCache(); 
myCredCache.Add(new Uri(uri), "Negotiate", (NetworkCredential)CredentialCache.DefaultCredentials); 

//Add credentials to web request 
req.Credentials = myCredCache; 
req.Proxy = null; 

// create somewhere for the response to go 
HttpWebResponse httpResponse = null; 

// now use the request 
try 
{ 
    // get the requested page 
    httpResponse = (HttpWebResponse)req.GetResponse(); 

    // output what was returned 
    using (StreamReader streamReader = new StreamReader(httpResponse.GetResponseStream())) 
    { 
     Response.Write(streamReader.ReadToEnd()); 
    } 
} 
finally 
{ 
    // close the response object 
    if (httpResponse != null) 
     httpResponse.Close(); 
} 
%>