我已在 IIS 7.5 上为 Kerberos 身份验证配置了 http 服务。并且运行正常。
我已经从 Linux 盒子检查过了
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
03/08/16 10:19:30 03/08/16 20:19:31 krbtgt/[email protected]
renew until 03/15/16 10:19:30
03/08/16 10:20:00 03/08/16 20:19:31 HTTP/[email protected]
renew until 03/15/16 10:19:30
简单测试
# curl --trace-ascii - --negotiate -u : http://www.example.net
Enter host password for user '[email protected]':
== Info: About to connect() to www.example.net port 80 (#0)
== Info: Trying 192.168.1.100... == Info: connected
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
=> Send header, 178 bytes (0xb2)
0000: GET / HTTP/1.1
0010: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
0050: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
008c: Host: www.example.net
00a3: Accept: */*
00b0:
...
== Info: Connection #0 to host www.example.net left intact
== Info: Issue another request to this URL: 'http://www.example.net/'
== Info: Re-using existing connection! (#0) with host www.example.net
== Info: Connected to www.example.net (192.168.1.100) port 80 (#0)
== Info: Server auth using GSS-Negotiate with user ''
=> Send header, 1969 bytes (0x7b1)
0000: GET / HTTP/1.1
0010: Authorization: Negotiate YIIFJgYJKoZIhvcSAQICAQBuggUVMIIFEaADAgE
0050: FoQMCAQ6iBwMFAAAAAACjggQkYYIEIDCCBBygAwIBBaENGwtFWEFNUExFLk5FVKI
0090: iMCCgAwIBA6EZMBcbBEhUVFAbD2RjMS5leGFtcGxlLm5ldKOCA+AwggPcoAMCARK
...
070f: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
074f: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
078b: Host: www.example.net
07a2: Accept: */*
07af:
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 46 bytes (0x2e)
0000: Last-Modified: Sat, 05 Mar 2016 17:15:16 GMT
<= Recv header, 22 bytes (0x16)
0000: Accept-Ranges: bytes
...
匿名身份验证已禁用,并且已在站点和整个服务器的身份验证部分中启用 Windows 身份验证。我在提供程序部分中只留下了 Negotiate:Kerberos。内核模式身份验证已禁用。
我已经为 ftp 服务创建了 SPN 记录
> setspn.exe -a ftp/ftp.example.net dc1
Registering ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net
ftp/ftp.example.net
Updated object
我可以看到新创建的 SPN 记录
> Setspn.exe -L DC1
Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net:
ftp/ftp.example.net
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.example.net
HOST/DC1/EXAMPLE
ldap/DC1/EXAMPLE
ldap/dc1.example.net/ForestDnsZones.example.net
ldap/dc1.example.net/DomainDnsZones.example.net
DNS/dc1.example.net
GC/dc1.example.net/example.net
RestrictedKrbHost/dc1.example.net
RestrictedKrbHost/DC1
HOST/dc1.example.net/EXAMPLE
HOST/DC1
HOST/dc1.example.net
HOST/dc1.example.net/example.net
ldap/dc1.example.net/EXAMPLE
ldap/DC1
ldap/dc1.example.net
ldap/dc1.example.net/example.net
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d/example.net
ldap/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d._msdcs.example.net
但是当我尝试连接到 FTP 服务时出现以下错误
# curl --trace-ascii - --krb 5 -u : ftp://ftp.example.net
== Info: About to connect() to ftp.example.net port 21 (#0)
== Info: Trying 192.168.1.100... == Info: connected
== Info: Connected to ftp.example.net (192.168.1.100) port 21 (#0)
<= Recv header, 27 bytes (0x1b)
0000: 220 Microsoft FTP Service
== Info: Trying GSSAPI...
=> Send header, 13 bytes (0xd)
0000: AUTH GSSAPI
<= Recv header, 41 bytes (0x29)
0000: 504 Security mechanism not implemented.
== Info: GSSAPI is not supported by the server.
== Info: Logging in with password in cleartext!
...
我阅读了很多官方文档,但找不到是否可以为 FTP 服务配置 Kerberos 身份验证。
我的问题是:
- 这有可能吗?如果可能的话,我遗漏了什么?
- 如果不可能,我可以使用哪个 FTP 服务器进行 Kerberos 身份验证?
PS 在 Windows 身份验证部分的高级设置中,有一个选项 - 内核模式身份验证,其描述如下
默认情况下,IIS 启用内核模式身份验证,这可以提高身份验证性能并防止使用自定义标识配置的应用程序池出现身份验证问题。作为最佳做法,如果您的环境中使用 Kerberos 身份验证且应用程序池配置为使用自定义标识,请不要禁用此设置。
但是当我选中该框时出现以下错误
我是不是漏掉了什么?因为在上一个屏幕上,IIS 建议不要禁用内核模式身份验证,尤其是对于 Kerberos 身份验证。所以我有点困惑。
提前致谢