1

一般信息

操作系统:Windows Server 2003 R2 Service Pack 2

网络服务器:IIS 6

NTAuthenticationProviders:仅 NTLM

网络应用程序:经典 ASP

使用的浏览器:IE7、IE8、IE9

在名为eblcplaza的 IIS 网站中有一个名为Knowledgebase的经典 ASP Web 应用程序,如下所示:eblcplaza/knowledgebase/。

eblcplaza 已启用匿名访问和集成 Windows 身份验证。知识库禁用匿名访问并启用集成 Windows 身份验证

知识库是一个经典的 ASP 应用程序,有自己的应用程序池,在预定义的应用程序池标识“网络服务”下运行</p>

当我用我的 NT 帐户登录时,我可以访问任何我想要的页面。问题出在 WinHttp.WinHttpRequest.5.1 组件上。它在知识库的某些部分中用于执行服务器端请求,以从驻留在 Web 应用程序中的某些 .asp 脚本中检索内容。

当在知识库上关闭匿名访问时,问题就开始了。 请注意,重新打开它不是一种选择。

使用 WinHttpRequest 的请求示例:

set WinHTTPRequest = Server.CreateObject("WinHttp.WinHttpRequest.5.1")

WinHTTPRequest.SetTimeouts 20000, 20000, 20000, 20000

call WinHTTPRequest.Open("POST", someUrlToAspScript, false) 

WinHTTPRequest.SetAutoLogonPolicy 0                 

WinHTTPRequest.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"

WinHTTPRequest.Send strQueryString

Response.Write(WinHTTPRequest.ResponseText)

将 SetAutoLoginPolicy 设置为 0,我在使用 WinHttpRequest 的页面上收到以下错误消息:

您无权使用您提供的凭据查看此目录或页面。HTTP 错误 401.1 - 未经授权:由于凭据无效,访问被拒绝。互联网信息服务 (IIS)

将 SetAutoLoginPolicy 设置为 2(不要根据 MSDN 自动发送用户凭据),我在使用 WinHttpRequest 的页面上收到以下错误消息:

您无权使用您提供的凭据查看此目录或页面,因为您的 Web 浏览器正在发送 Web 服务器未配置为接受的 WWW-Authenticate 标头字段。HTTP 错误 401.2 - 未经授权:由于服务器配置,访问被拒绝。

我知道我的 NT 用户帐户具有访问这些 .asp 脚本的适当权限这一事实,网络服务帐户也是如此。

我试图找出可能是什么问题几天才知道,尝试将 NTAuthenticationProviders 设置为仅 NTLM 以及 Negotiate 和 NTLM 等,但到目前为止没有任何效果。

请帮帮我,它开始让我发疯。

问候,

巴特

4

2 回答 2

0

First of all let's clear up what it is you asking the server to do. It will have demanded your credentials from the client with which it is now impersonating you for security purposes. The WinHTTP request it is making to a service (WinHTTP doesn't know that its the exact same application) that now demands credentials. What you want this impersonating thread to do is use your creds to authenticate against an "external" service.

I suspect that what is happening here is that the server is not cleared to re-use your credentials in this way. If I recall correctly (which may not be that certain) a server needs to be granted the right to delegate in order to do that. It may also be possible to allow this if Kerberos is used instead of NTLM to perform windows integrated security.

However all that may be academic. You should understand that an app making a http request to itself has the potential to hang when under load in a way that would require a recycle to release.

Consider this alternative. Given that ServicePage.asp is a page used both directly by the browser and by an internal ClientPage.asp do the following.

Rip out the service code from ServicePage.asp and place in a VBScript class in a new ServiceInclude.asp. Now add the this ServiceInclude.asp as an include file in ServicePage.asp where ServicePage.asp only contains the plumbing necessary to instance the class and use it to generate its output.

Modify ClientPage.asp so that instead of attempting WinHttp to ServicePage.asp it simply includes the ServiceInclude.asp, instances the contained class and uses the class to provide the service required.

于 2012-05-31T21:29:42.223 回答
0

我猜知识库中的页面是通过您从 eblcplaza 开始的匿名帐户访问的。尝试仅在您使用请求的 eblcplaza 页面上启用 NTLM,您只能在该文件上执行此操作。就像您的凭据被传递到知识库一样。在两个页面上都记录 Session("username") 变量。

于 2012-05-31T19:54:18.903 回答