通过反向代理问题的Windows身份验证
有一个IIS反向代理服务器的网站上的具体要求使用Windows身份验证和模拟到另一个本地站点win.auth +模拟重定向。
Have a IIS Reverse proxy redirect on specific request on WebSite with windows authentication and impersonation to another local site with win.auth + impersonation.
反向代理服务器并放置在不同的机器和网络应用程序的iis版本(的Proxy-IIS 7.5,Web应用程序IIS6)和相同的域名。
Reverse proxy and the web application placed on a different machines and iis versions (proxy- IIS 7.5 , webApp IIS6) and the same domain.
通过反向代理请求不允许用户在远程服务器上进行认证。具有无限的认证请求。
Requests through the reverse proxy does not allow the user to be authenticated on the remote server. has an infinite authentication request.
这是固有的方式Windows身份验证(NTLM)工作原理:密码永远不会发送,身份验证与密码的盐腌哈希完成,因此第一服务器可以验证用户,但不能重新使用这些凭据来模拟一个远程服务器上的同一个用户(因为没有它不能验证密码)。结果
看看这篇博客文章一>,以获取有关此问题的详细信息(被称为双跃点的问题)。
This is inherent to the way windows authentication (NTLM) works: the password is never sent, authentication is done with a salted hash of the password, so the first server can authenticate the user but cannot re-use those credentials to impersonate the same user on a remote server (since without the password it cannot authenticate).
Look at this blog post to get more information about this problem (which is known as "double-hop problem").