विंडोज़ प्रमाणीकरण के साथ बाइंडिंग आईआईएस

Question

मैं एक localwebsite (http: // localhost/testsite) है विंडोज़ प्रमाणीकरण के साथ -> अच्छा काम करता है

अब

मैं एक यूआरएल (HTT करने के लिए साइट के बंधन बदल: // testite.blablabla.biz) विंडोज प्रमाणीकरण -> HTTP त्रुटि 401.1 - अनधिकृत आपको आपके द्वारा प्रदान किए गए प्रमाण-पत्रों का उपयोग करके इस निर्देशिका या पृष्ठ को देखने की अनुमति नहीं है।

मैं क्या गलत कर रहा हूं? मैंने Google पर पहले से ही बहुत कुछ खोजा है, लेकिन वास्तव में कुछ भी मदद नहीं करता है। मुझे लगता है कि इसमें DOMAINNAMES या कुछ के साथ कुछ करना है, लेकिन मुझे यकीन नहीं है .. कोई भी जो मदद कर सकता है?

Answer 1

ध्यान दें कि बाध्यकारी बदलकर, इस साइट को वेब ब्राउज़र में आपके पिछले यूआरएल द्वारा फिर से एक्सेस नहीं किया जा सकता है। बाध्यकारी क्या है इसके बारे में जानें और आपको पता होना चाहिए कि आपने कुछ गलत किया है या नहीं।

तो साइट जो आपको यह 401.1 देता है पूरी तरह से एक और साइट हो सकती है।

Answer 2

विंडोज़ में लूपबैक चेक करने के लिए एक सुरक्षा सुविधा है, जो आपके कंप्यूटर पर प्रतिबिंब हमलों को रोकने में मदद के लिए डिज़ाइन की गई है।

जब आप आईआईएस चलाने वाले कंप्यूटर पर होस्ट की गई स्थानीय वेबसाइट ब्राउज़ करने के लिए कस्टम होस्ट हेडर का उपयोग करते हैं तो आपको यह त्रुटि संदेश प्राप्त होगा यदि वेबसाइट Windows प्रमाणीकरण का उपयोग करती है और इसका नाम स्थानीय लूपबैक पते पर मैप किया गया है ।

वहाँ इस समस्या के समाधान के लिए दो तरीके हैं:

1) होस्ट नाम निर्दिष्ट करें, या

2) अक्षम लूपबैक जांच

Microsoft KB Article ID: 896861

Answer 3

यहाँ PowerShell commandlets हैं कि मैंने लूपबैक चेक सेटिंग्स को प्रबंधित करने के लिए लिखा था। इसमें कोड शामिल है जो सभी आईआईएस वेब साइटों के लिए होस्टनाम प्राप्त करने का प्रयास करता है जो विंडोज प्रमाणीकरण का उपयोग करते हैं और बैक कनेक्शन होस्ट नाम सेट करते हैं।

Import-Module WebAdministration 

function Add-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Adds the back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Adds the hostname to the list of back connection hostnames that will bypass the server loopback check. Back connection host names 
    can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. 
    .EXAMPLE 
    Add-BackConnectionHostName mywebsite.mydomain.tld 
    .EXAMPLE 
    Add-BackConnectionHostName mywebsite1.mydomain.tld, mywebsite2.mydomain.tld 
    .PARAMETER Hostname 
    The Hostname to add to the back connection hostnames list. 
    .LINK 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, Mandatory = $true)] 
     [string] $Hostname 
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 
     $propertyValues = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       $property = New-ItemProperty $keyPath -Name $propertyName -Value $null -PropertyType ([Microsoft.Win32.RegistryValueKind]::MultiString) -ErrorAction Stop 

       Write-Verbose "Created the $($propertyName) property." 
      } 

      if ($property -ne $null) 
      { 
       $propertyValues = $property.$propertyName 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      foreach ($hostNameValue in $Hostname) 
      { 
       if ([string]::IsNullOrWhiteSpace($hostName) -eq $false -and $propertyValues -notcontains $hostNameValue) 
       { 
        $propertyValues += $hostNameValue 

        Write-Verbose "Added $($hostName) to the back connection hostnames." 
       } 
       else 
       { 
        Write-Verbose "Back connection host names already has an entry for $($hostName)." 
       } 
      } 
     } 
    } 

    end 
    { 
     if ($propertyValues -ne $null) 
     { 
      $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique 
      Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues 
     } 
    } 
} 

function Remove-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. 
    .EXAMPLE 
    Remove-BackConnectionHostName mywebsite.mydomain.tld 
    .EXAMPLE 
    Remove-BackConnectionHostName mywebsite1.mydomain.tld, mywebsite2.mydomain.tld 
    .PARAMETER Hostname 
    The Hostname to remove from the back connection hostnames list. 
    .LINK 
    Add-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, Mandatory = $true)] 
     [string] $Hostname 
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 
     $propertyValues = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -ne $null) 
      { 
       $propertyValues = $property.$propertyName 
      } 
      else 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      foreach ($hostNameValue in $Hostname) 
      { 
       if ($propertyValues -contains $hostNameValue) 
       { 
        $propertyValues = $propertyValues | ? { $_ -ne $hostName } 

        Write-Verbose "Removed $($hostName) from the $($propertyName) property." 
       } 
       else 
       { 
        Write-Verbose "No entry for $($hostName) was found in the $($propertyName) property." 
       } 
      } 
     } 
    } 

    end 
    { 
     if ($property -ne $null) 
     { 
      $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique 

      if ($propertyValues.Length -ne 0) 
      { 
       Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues 
      } 
      else 
      { 
       Remove-ItemProperty $keyPath -Name $propertyName 

       Write-Verbose "No entries remain after removing $($hostName). The $($propertyName) property was removed." 
      } 
     } 
    } 
} 

function Get-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Gets the list of back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Gets the back connection hostnames that will bypass the server loopback check. Back connection host names can be used to address 
    the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. 
    .EXAMPLE 
    Get-BackConnectionHostName 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     $propertyValues = $null 

     if ($property -ne $null) 
     { 
      $propertyValues = $property.$propertyName 
     } 

     return $propertyValues 
    } 

    end 
    { 
    } 
} 

function Enable-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Enables the server loopback check. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Enables the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address 
    the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. 
    .EXAMPLE 
    Enable-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      Set-ItemProperty $keyPath -Name $propertyName -Value 0 
     } 
    } 

    end 
    { 
    } 
} 

function Disable-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Disables the server loopback check for all hostnames. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Disables the server loopback check for all hostnames. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used 
    to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. 
    .EXAMPLE 
    Disable-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      Set-ItemProperty $keyPath -Name $propertyName -Value 1 
     } 
     else 
     { 
      $property = New-ItemProperty $keyPath -Name $propertyName -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Value 1 
     } 
    } 

    end 
    { 
    } 
} 

function Get-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Gets the status of the server loopback check. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Gets the status of the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used 
    to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for 
    more details. 
    .EXAMPLE 
    Get-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 
     } 
    } 

    process 
    { 
     $loopbackCheckStatus = "Enabled" 

     if ($property -ne $null) 
     { 
      switch ($property) 
      { 
       0 { $loopbackCheckStatus = "Enabled" } 
       1 { $loopbackCheckStatus = "Disabled" } 
       default { $loopbackCheckStatus = "Unknown" } 
      } 
     } 

     return $loopbackCheckStatus 
    } 

    end 
    { 
    } 
} 

function Get-WebsiteHostname 
{ 
    <# 
    .SYNOPSIS 
    Gets the hostnames for the IP addresses bound to a web site. 
    .DESCRIPTION 
    Gets the hostnames for the IP addresses bound to a web site. Where a host header exists, the host header is used; otherwise, the IP address is looked up 
    in DNS to see if a PTR record exists. 
    .EXAMPLE 
    Get-WebSiteHostname $webSite 
    .EXAMPLE 
    Get-WebSiteHostname -Name 'Default Web Site' 
    .EXAMPLE 
    Get-Website | Get-WebSiteHostname 
    .LINK 
    Get-Website 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)] 
     [string] $Name 
    ) 

    process 
    { 
     $siteHostnames = @() 

     foreach ($webSiteName in $Name) 
     { 
      $bindings = Get-WebBinding -Name $Name 

      foreach ($binding in $bindings) 
      { 
       $bindingInfo = $binding.bindingInformation.Split(':') 
       $hostHeader = $bindingInfo[2] 
       $bindingInfoAddress = $null 
       $isValidIP = [System.Net.IPAddress]::TryParse($bindingInfo[0], [ref] $bindingInfoAddress) 
       $siteHostname = $null 

       if ($bindingInfo -eq '*') 
       { 
        Write-Warning "The $($webSiteName) web site has a binding address set to All Unassigned." 
       } 
       elseif ([string]::IsNullOrWhiteSpace($hostHeader) -eq $false) 
       { 
        $siteHostname = $hostHeader 
        Write-Verbose "The $($webSiteName) web site has a host header set to $($siteHostname)." 
       } 
       elseif ($isValidIP -eq $true) 
       { 
        $siteHostname = (Resolve-DnsName $bindingInfoAddress -DnsOnly PTR -ErrorAction SilentlyContinue).NameHost 

        if ($siteHostname -ne $null) 
        { 
         Write-Verbose "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) that resolves to $($siteHostname)." 
        } 
        else 
        { 
         Write-Warning "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) with no PTR record." 
        } 
       } 
      } 

      if ($siteHostname -ne $null) 
      { 
       $siteHostnames += $siteHostname 
      } 
     } 

     return $siteHostnames | Sort -Unique 
    } 
} 

# Use the IIS administration commandlets and the ones above to do the 
# following: 
# 1. Get all the IIS web sites that use Windows authentication. 
# 2. Get the hostnames from either the host header setting or the 
#  DNS reverse lookup of the hostnames from the IP address. 
# 3. Add the hostnames to the BackConnectionHostNames registry key. 
# 4. Display the contents of the BackConnectionHostNames registry key. 

$windowsAuthenticatedWebSites = Get-Website | ?{ (Get-WebConfiguration -Filter '/system.web/authentication' -PSPath $_.PSPath).mode -eq 'Windows' } 
$webSiteHostnames = $windowsAuthenticatedWebSites | Get-WebsiteHostname 
$webSiteHostNames | Add-BackConnectionHostName 

Get-BackConnectionHostName