authentication issue with an intranet website runn

2020-05-29 06:22发布

问题:

I have an an intranet website running under IIS6 (under a specific port, not the default one) with a integrated windows authentication enabled and uses an application pool configured with a service account. the issue is, if I access the website using the server name with a fully qualified domain in the URL, it throws a login prompt (doesn't work even if enter my windows login credentials), but if I use the IP address of the server then it works fine. Please let me know what I need to do to get the URL with server name working. for example http://servername:8080/default.aspx throws login prompt, but http://ip address:8080/default.aspx works fine

回答1:

I am experiencing the same problem. I believe it is something to do with Kerberos authentication mechanism. If it resorts to NTLM it will work (which it does when using an IP address). Kerberos requires an SPN registered on Active Directory for it to work. Kerberos also won't allow you to have application pools running under different accounts but with the same server name. In these situations you should have an alternate name for the site and register that with Kerberos. However, I haven't actually resolved the issue yet so these are just suggestions.



回答2:

Two possible problems come to my mind:

  1. The DNS server in your network is not resolving servername to an IP

    • Run Ping servername from the command line to check if the name brings the IP expected
    • edit the C:\Windows\System32\drivers\etc\hosts file and add the server name and IP address
  2. The Bindings in IIS6 does not expect servername

    • Make sure that servername is included in the list or the Host Header Name field is empty


回答3:

I had exactly these symptoms when the web server had its IP address changed due to a new internal IP addressing scheme. Pass through authentication worked from the webserver itself but not from any other system. From other systems, using the host name in the URL caused IE to prompt for credentials which were always rejected, using the IP address in the URL caused IE to prompt for credentials which were accepted. After chasing a lot of red herrings we suspected that the server was caching credentials against the old IP address, so we rebooted the server and it all came right.



回答4:

Try this. I had exactly same problem and it fixed it for me (I'm the linked thread)

I set my AuthenticationProvider for my website to "NTLM, Negotiate"

Following these instructions: http://support.microsoft.com/kb/215383

With a slight change to their instruction to set provider of course

mine:

cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "**NTLM, Negotiate**"

You can get the Website ID by clicking on the "Web Sites" folder on the left in IIS. This should list all your website with their ID

Thanks to Nick's answer that lead me to it