IIS 各種身份驗(yàn)證詳細(xì)測試
更新時(shí)間:2008年12月29日 20:40:47 作者:
IIS的各種身份驗(yàn)證詳細(xì)測試
3.3.5. 客戶端發(fā)送用登陸本機(jī)的賬戶加密后的質(zhì)詢碼
GET /wstest/default.aspx HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)
Host: biztalkr2:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABQAFABIAAAAGgAaAFwAAAAUABQAdgAAAAAAAAC6AAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwAtAFAAQwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFcASQBOADIAMAAwADMALQBQAEMAg7v6JYS/3bAAAAAAAAAAAAAAAAAAAAAArE2xu3xDN3w0LmV1yUkDkrqVWhb2wg27
3.3.6. 服務(wù)端驗(yàn)證通過,返回資源
用戶端登錄的用戶名和密碼正好能匹配到服務(wù)端的一個(gè)用戶和密碼,驗(yàn)證通過。
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2007 12:35:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
.Untitled Page
</title></head>
<body>
<form name="form1" method="post" action="default.aspx" id="form1">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGTcefU2sz1MLsbXiZdUEXomIyZ20Q==" />
</div>
<div>
This is a simple page!</div>
</form>
</body>
</html>
4、 客戶端和服務(wù)器都在同一域中
服務(wù)器和客戶端機(jī)器在同一個(gè)局域網(wǎng)中,并同在一個(gè)域中??蛻舳薎E請求服務(wù)端IIS的一個(gè)頁面iisstart.htm。
IIS服務(wù)端設(shè)置:
l 不啟用匿名訪問
l 只啟用集成windows身份驗(yàn)證
這樣的環(huán)境下又范圍以下幾種情況:
4.1.
客戶端用機(jī)
ip
訪問服務(wù)器
4.1.1. 客戶端IE申請頁面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
4.1.2. 服務(wù)端返回?zé)o授權(quán)回應(yīng)
IIS的設(shè)置不允許匿名訪問,只能windows驗(yàn)證,所以發(fā)送401無授權(quán)回應(yīng),同時(shí)發(fā)回Negotiate和NTLM兩個(gè)身份驗(yàn)證頭讓客戶端選擇。
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:23:43 GMT
4.1.3. 客戶端選擇NTLM驗(yàn)證,要求輸入用戶名密碼,請求質(zhì)詢碼
由于使用的是ip地址訪問服務(wù)器,URL中包含有”.”字符,IE認(rèn)為訪問的不是企業(yè)內(nèi)部服務(wù)器,所以不直接提供用戶憑據(jù)給服務(wù)端,要求用戶輸入帳戶
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAAD4==
4.1.4. 服務(wù)器返回質(zhì)詢碼
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomiF0CRjzLrr+cAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:24:15 GMT
4.1.5. 客戶端發(fā)送使用前面輸入賬戶的密碼加密后的質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAABoAGgBIAAAACgAKAGIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPMQA5ADIALgAxADYAOAAuADEAMAAwAC4ANQBqAGkAbgBqAHoASgBJAE4ASgBaALVaV8Ku0ERuAAAAAAAAAAAAAAAAAAAAAFowQcbaUXykWTrI7WJKQUA2taaV7wo5T2==
4.1.6. 服務(wù)端驗(yàn)證通過,返回資源
HTTP/1.1 200 OK
Content-Length: 1135
Content-Type: text/html
Last-Modified: Mon, 12 Nov 2007 09:33:27 GMT
Accept-Ranges: bytes
ETag: "d4469314f25c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:24:15 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.2.
客戶端用機(jī)器名訪問服務(wù)器
,客戶端用戶以域賬戶登錄
4.2.1. 客戶端IE申請頁面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
4.2.2. 服務(wù)端返回?zé)o授權(quán)回應(yīng)
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:27:18 GMT
4.2.3. 客戶端選擇Kerberos驗(yàn)證,發(fā)送驗(yàn)證票到服務(wù)端
客戶端在域中,并且以域賬戶登錄,所以客戶端IE選擇使用Kerberos身份驗(yàn)證,發(fā)送與用戶的驗(yàn)證票到服務(wù)端。
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOiYYIDnjCCA5qgAwIBBaEOGwxTWkJUSS5HT1YuQ06iFzAVoAMCAQKhDjAMGwRIVFRQGwRsb2dzo4IDaDCCA2SgAwIBF6EDAgEMooIDVgSCA1IeN8fZeLtzkw+5H8HOKmM8zgDOVL5GmeXoS8dMgE20RtI14EVWWZLn2j0AMXTqMOA550Grsadh89vZ89+6vprkVL0v49FM+gxHFCmZSOvLTIawBqXvLU6w1Pni8PN1pbhOKCRVON6+5XH4MN8Rfuqpyy1A/2gfeQIfLMMHs73yohp7h7QJP29b61jm0vj1xE0jEP7EupHlr225vrrVCnktTksbyqi88kIZlCB84J1gTqYoNeOycn4Qzvv8x6z1AsCfo2SBSwo1tj38BK2Fbu+BRXw26RrebGWPkILYwqED7bSR+RlDdokEhjubbyaWcnIjiSXZaN5kQqZQqms3iqhUrZpX7RaaV5BsMOgJs7LwYmc3uM5v7YqljwFD3T44XfpAiS3xlyirP3modOR1l+hV2xdIIFusXtRzY7rTkmEb2F3dGjTiMXySrc0GGhe3TrIeH9nB/2Udo/Z9m0ifXC0EU2fFogefmDc322vHhhv9gEYccG44Q/cnWx8gY9GfWCRihlaefGK+DmCvm+515UFYeIcG5KafXBQw3KX7MjI4/4hlAh3mQNn9p3nX0ePy1G1RRV2SToN7eg1PkaaYXDeC6MSIwCb53MfebzpyN0LKzmPZ6GneLYbyBIpANzPNoXz/LADA1h/l8F098ti1fThPVkUgoehgy1iyovTXyqJg6rojI0juIH7fKfc/UpfO+eLMhsquhH1KNjkCTD2CkdUfcsEU7B15j15p1OyGeg5/tEbRE67+NAWkfLSPp5R3tzGqjAh39w8n/8EWot9DBlHwk+qJp3rMFJZIvNtmXuvqnUW1NGpO1GIf78PBixyFwrJSo5syTfCiWIcw9YQ7MyvuyynAmsXeaI5+OP/GfmGpnvt5kMznu5q/nNf7LMV8n6x2+lmNlcPJiWr+KckPM9Nvntw2h/bl2qGnHDdOqNYI2N0VxzIm8wY6dWS3NIwlGl/usMjjebaELFP6rdHjpVG6pziJYjrBrws5DbqCxJ1EOeQdBiT8l1O6OUQqdOBVZH6/bj5MkLghWv0edHG8TJ4OGa69nMHDwTBOyuyRbTr5uWWFnESdyAGGbfGlJjuvSSzxgZViMSB2j8Ulk8x8MCqrupEK2i0UR6HrMNMJIDJsVcXTpIG6MIG3oAMCAReiga8EgazteAbcguseBpQnHeJihLFO78PfjI2Qop+MkH9jCOrvO9cQns1GzOKByoAbeP307QQq4zbaDF3EJlOC//4k4A6W4dc4k5lNeOgwR4LEvbIQKpdlljFiW8XUb+IgovsOlZEG0qFQgZY0I35I4Uvk/2dDkz06DGiDsQ0IENrRIMT4/7xgMSmkzspO2ojSbG5aKlbjK203QxMlkEoxb8WpJFZQggUqrLAr0q2graET
4.2.4. 服務(wù)端驗(yàn)證通過,返回資源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWrdYWb37ROEMMnP/4vTBwSe9hVe4XklXCWqFKG16d53aBUiTEem+lrFE8ycBgSln3zme63lKfSn9UHoNTlT100T86wxllsyrrMe437ElPcxI4pgcv9rNKU9aKg==
Date: Wed, 14 Nov 2007 08:27:18 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.3.
客戶端用機(jī)器名訪問服務(wù)器,客戶端用戶以客戶端本地用戶登錄,用戶名
/
口令跟服務(wù)器賬戶不匹配
4.3.1. 客戶端IE申請頁面
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
4.3.2. 服務(wù)端返回?zé)o授權(quán)回應(yīng)
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.3. 客戶端選擇NTLM驗(yàn)證,請求質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.3.4. 服務(wù)器返回質(zhì)詢碼
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomibnmMcRgPlTMAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.5. 客戶端發(fā)送用登陸本機(jī)的賬戶加密后的質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaACY8afODxKsFAAAAAAAAAAAAAAAAAAAAAPfRbw7FX9gKolM+6+QhqsRU+MWS3jKLkQ==
4.3.6. 服務(wù)端返回?zé)o授權(quán)回應(yīng)
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.7. 客戶端及選選擇NTLM驗(yàn)證,要求輸入用戶名和口令,再次請求質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.3.8. 服務(wù)端返回質(zhì)詢碼
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomi3CZKUW4302QAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:59:09 GMT
4.3.9. 客戶端發(fā)送使用前面輸入賬戶的密碼加密后的質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAIP0UwZaV4tAAAAAAAAAAAAAAAAAAAAAAMS9l9MtVOFPSz/JmjD+/7W2ssAdBrkvwQ==
4.3.10. 服務(wù)端驗(yàn)證通過,返回資源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:59:09 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.4.
客戶端用機(jī)器名訪問服務(wù)器,客戶端用戶以客戶端本地用戶登錄,用戶名
/
口令跟服務(wù)器賬戶匹配
4.4.1. 客戶端IE申請頁面
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
4.4.2. 服務(wù)端返回?zé)o授權(quán)回應(yīng)
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
4.4.3. 客戶端選擇NTLM驗(yàn)證,請求質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.4.4. 服務(wù)器返回質(zhì)詢碼
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomil8OZAC0QBhYAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
4.4.5. 客戶端發(fā)送用登陸本機(jī)的賬戶加密后的質(zhì)詢碼
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAMQdxp9OWMESAAAAAAAAAAAAAAAAAAAAAMEj775cWctAx2Csmbgfq2afsGcop92oMA==
4.4.6. 服務(wù)端驗(yàn)證通過,返回資源
用戶端登錄的用戶名和密碼正好能匹配到服務(wù)端的一個(gè)用戶和密碼,驗(yàn)證通過。
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
5、 集成驗(yàn)證總結(jié)
5.1.
客戶端以
ip
地址訪問服務(wù)器
不管客戶端跟服務(wù)器是否在域、也不管客戶端是否以域帳號登陸,只要客戶端以ip地址訪問服務(wù)器,那么客戶端就會(huì)選擇NTLM方式驗(yàn)證,并且不會(huì)直接發(fā)送客戶端登錄用戶的用戶名和密碼給服務(wù)器,而是會(huì)彈出一個(gè)對話框要求用戶輸入用戶名和口令,然后發(fā)送到服務(wù)端驗(yàn)證。
您可以避免在使用 IP 地址或名稱中包含句點(diǎn)的企業(yè)內(nèi)部網(wǎng)服務(wù)器上出現(xiàn)這種提示,方法是,在 Internet Explorer 的“本地 Intranet”設(shè)置中,列出包含 IP 地址的服務(wù)器,或是列出包含句點(diǎn)的服務(wù)器名稱??梢酝ㄟ^依次單擊“工具”、“Internet 選項(xiàng)”、“本地 Intranet”、“站點(diǎn)”、“高級”來訪問“本地 Intranet”設(shè)置部分。然后在“將該網(wǎng)站添加到區(qū)域中”輸入 http://127.0.0.1 或其他相關(guān)站點(diǎn)的 URL。
下面總結(jié)的都是在客戶端以機(jī)器名訪問服務(wù)器的情況。
5.2.
服務(wù)器在域,客戶端以域帳號登陸
如果客戶端的機(jī)器在域中,同時(shí)登陸用戶又是以域用戶登錄,那么IE選擇Kerberos驗(yàn)證方式。
5.3.
其他情況
IE
都選擇采用
NTLM
驗(yàn)證方式。
出來上述的兩種情況,其他情況,客戶端都選擇NTLM驗(yàn)證,并首先嘗試把登錄客戶端用戶的用戶名和密碼傳送給服務(wù)器驗(yàn)證,如果驗(yàn)證通過了,被直接授權(quán)訪問;如果驗(yàn)證沒通過,客戶端彈出對話框要求輸入用戶名和密碼,然后再傳送到服務(wù)端驗(yàn)證,直到驗(yàn)證通過。
集成 Windows 身份驗(yàn)證Kerberos的驗(yàn)證方式是 Intranet 環(huán)境中最好的身份驗(yàn)證方案,在這種用戶擁有 Windows 域帳戶,Kerberos驗(yàn)證不在網(wǎng)絡(luò)上傳遞用戶密碼,只用傳送一個(gè)用戶驗(yàn)證票。NTLM要傳送用戶的密碼,但是密碼經(jīng)過處理后派生出一個(gè)8字節(jié)的key加密質(zhì)詢碼,也是比較安全的。
四、 基本身份驗(yàn)證
客戶端IE請求服務(wù)端IIS的一個(gè)頁面iisstart.htm。
IIS服務(wù)端設(shè)置:
l 不啟用匿名訪問
l 只啟用基本身份驗(yàn)證
1、 客戶端IE申請頁面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
2、 服務(wù)端返回?zé)o授權(quán)回應(yīng),并告知客戶端要求基本身份驗(yàn)證
服務(wù)端設(shè)置的基本身份驗(yàn)證,所以這里返回的無授權(quán)回應(yīng)的http頭中包含 WWW-Authenticate: Basic 頭,告訴客戶端,服務(wù)端要求的是基本身份驗(yàn)證
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Basic realm="logs"
X-Powered-By: ASP.NET
Date: Mon, 19 Nov 2007 06:15:57 GMT
3、 客戶端彈出對話框要求輸入用戶名和密碼
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1
客戶端把用戶名和密碼轉(zhuǎn)換成base64編碼后,直接發(fā)送到服務(wù)端。
發(fā)送到服務(wù)器的“Authorization: Basic”頭里面的“YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1”部分就是用戶的用戶名和密碼,經(jīng)過base64解碼后是這樣的:administrator:szbti@1005
4、 服務(wù)端驗(yàn)證通過,返回資源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e7d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 19 Nov 2007 06:16:34 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
相關(guān)文章
你的服務(wù)器IIS最大并發(fā)數(shù)有多少?
做完假設(shè),現(xiàn)在做限制,設(shè)置站點(diǎn)保持HTTP連接,超時(shí)設(shè)置成0,就是不會(huì)超時(shí)。在站點(diǎn)請求的default.aspx頁面設(shè)置線程Thread.Sleep(int.MaxValue),接下來開發(fā)一個(gè)用來保持連接的小程序。2009-08-08win2003 IIS虛擬主機(jī)網(wǎng)站防木馬、權(quán)限設(shè)置、安全配置整理
參考了網(wǎng)絡(luò)上很多關(guān)于WIN2003的安全設(shè)置以及自己動(dòng)手做了一些實(shí)踐,綜合了這些安全設(shè)置文章整理而成,希望對大家有所幫助,另外里面有不足之處還請大家多多指點(diǎn),然后給補(bǔ)上,謝謝2012-01-01IIS7傳大于30M的視頻時(shí)出現(xiàn)找不到文件或目錄錯(cuò)誤正確處理方法
IIS7傳大于30M的視頻時(shí)出現(xiàn)找不到文件或目錄錯(cuò)誤的情況想必有很多的朋友都有遇到過吧,下面與大家分享下具體的解決方法2013-06-06win2003遠(yuǎn)程退出后系統(tǒng)自動(dòng)注銷問題的解決方法
這篇文章主要介紹了win2003遠(yuǎn)程退出后系統(tǒng)自動(dòng)注銷問題的解決方法,需要的朋友可以參考下2017-02-02Windows下配置Nginx+PHP基本操作(啟動(dòng)、重啟和退出)
經(jīng)常倒騰系統(tǒng),徘徊于 Windows 的便利和 Linux 的魔性,一旦折騰系統(tǒng)基本配置都要重弄,特此記錄對 Nginx和PHP的基本啟動(dòng)、重啟和退出2018-05-05HTTP 500內(nèi)部服務(wù)器錯(cuò)誤的解決方法(重裝IIS)
培訓(xùn)銷售人員安裝asp.net運(yùn)行環(huán)境,真是各種情況都遇到了,IIS安裝完成,一運(yùn)行出現(xiàn)“HTTP 500 - 內(nèi)部服務(wù)器錯(cuò)誤”,網(wǎng)上找了一圈,處理方法那個(gè)叫復(fù)雜,在研究完復(fù)雜方法之后,發(fā)現(xiàn)只要三步就可以解決問題了2012-06-06IIS中使用的ISAPI_Rewrite Full版本做反向代理詳解
代理服務(wù)器來接受internet上的連接請求,然后將請求轉(zhuǎn)發(fā)給內(nèi)部網(wǎng)絡(luò)上的服務(wù)器,并將從服務(wù)器上得到的結(jié)果返回給internet上請求連接的客戶端,此時(shí)代理服務(wù)器對外就表現(xiàn)為一個(gè)服務(wù)器。2010-04-04