脚本之家 服务器常用软件
快捷导航
您的位置:首页网站技巧服务器win服务器 → IIS 身份验证

IIS 各种身份验证详细测试

 更新时间:2008年12月29日 20:40:47   作者:  
IIS的各种身份验证详细测试

3.3.5. 客户端发送用登陆本机的账户加密后的质询码
GET /wstest/default.aspx HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)
Host: biztalkr2:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABQAFABIAAAAGgAaAFwAAAAUABQAdgAAAAAAAAC6AAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwAtAFAAQwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFcASQBOADIAMAAwADMALQBQAEMAg7v6JYS/3bAAAAAAAAAAAAAAAAAAAAAArE2xu3xDN3w0LmV1yUkDkrqVWhb2wg27
3.3.6. 服务端验证通过,返回资源
用户端登录的用户名和密码正好能匹配到服务端的一个用户和密码,验证通过。
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2007 12:35:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
.Untitled Page
</title></head>
<body>
<form name="form1" method="post" action="default.aspx" id="form1">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGTcefU2sz1MLsbXiZdUEXomIyZ20Q==" />
</div>
<div>
This is a simple page!</div>
</form>
</body>
</html>
4、 客户端和服务器都在同一域中
服务器和客户端机器在同一个局域网中,并同在一个域中。客户端IE请求服务端IIS的一个页面iisstart.htm。
IIS服务端设置:
l 不启用匿名访问
l 只启用集成windows身份验证
这样的环境下又范围以下几种情况:
4.1.
客户端用机
ip
访问服务器
4.1.1. 客户端IE申请页面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
4.1.2. 服务端返回无授权回应
IIS的设置不允许匿名访问,只能windows验证,所以发送401无授权回应,同时发回Negotiate和NTLM两个身份验证头让客户端选择。
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:23:43 GMT
4.1.3. 客户端选择NTLM验证,要求输入用户名密码,请求质询码
由于使用的是ip地址访问服务器,URL中包含有”.”字符,IE认为访问的不是企业内部服务器,所以不直接提供用户凭据给服务端,要求用户输入帐户
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAAD4==
4.1.4. 服务器返回质询码
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomiF0CRjzLrr+cAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:24:15 GMT
4.1.5. 客户端发送使用前面输入账户的密码加密后的质询码
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: 192.168.100.5:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAABoAGgBIAAAACgAKAGIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPMQA5ADIALgAxADYAOAAuADEAMAAwAC4ANQBqAGkAbgBqAHoASgBJAE4ASgBaALVaV8Ku0ERuAAAAAAAAAAAAAAAAAAAAAFowQcbaUXykWTrI7WJKQUA2taaV7wo5T2==
4.1.6. 服务端验证通过,返回资源
HTTP/1.1 200 OK
Content-Length: 1135
Content-Type: text/html
Last-Modified: Mon, 12 Nov 2007 09:33:27 GMT
Accept-Ranges: bytes
ETag: "d4469314f25c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 07:24:15 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.2.
客户端用机器名访问服务器
,客户端用户以域账户登录
4.2.1. 客户端IE申请页面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
4.2.2. 服务端返回无授权回应
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:27:18 GMT
4.2.3. 客户端选择Kerberos验证,发送验证票到服务端
客户端在域中,并且以域账户登录,所以客户端IE选择使用Kerberos身份验证,发送与用户的验证票到服务端。
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOiYYIDnjCCA5qgAwIBBaEOGwxTWkJUSS5HT1YuQ06iFzAVoAMCAQKhDjAMGwRIVFRQGwRsb2dzo4IDaDCCA2SgAwIBF6EDAgEMooIDVgSCA1IeN8fZeLtzkw+5H8HOKmM8zgDOVL5GmeXoS8dMgE20RtI14EVWWZLn2j0AMXTqMOA550Grsadh89vZ89+6vprkVL0v49FM+gxHFCmZSOvLTIawBqXvLU6w1Pni8PN1pbhOKCRVON6+5XH4MN8Rfuqpyy1A/2gfeQIfLMMHs73yohp7h7QJP29b61jm0vj1xE0jEP7EupHlr225vrrVCnktTksbyqi88kIZlCB84J1gTqYoNeOycn4Qzvv8x6z1AsCfo2SBSwo1tj38BK2Fbu+BRXw26RrebGWPkILYwqED7bSR+RlDdokEhjubbyaWcnIjiSXZaN5kQqZQqms3iqhUrZpX7RaaV5BsMOgJs7LwYmc3uM5v7YqljwFD3T44XfpAiS3xlyirP3modOR1l+hV2xdIIFusXtRzY7rTkmEb2F3dGjTiMXySrc0GGhe3TrIeH9nB/2Udo/Z9m0ifXC0EU2fFogefmDc322vHhhv9gEYccG44Q/cnWx8gY9GfWCRihlaefGK+DmCvm+515UFYeIcG5KafXBQw3KX7MjI4/4hlAh3mQNn9p3nX0ePy1G1RRV2SToN7eg1PkaaYXDeC6MSIwCb53MfebzpyN0LKzmPZ6GneLYbyBIpANzPNoXz/LADA1h/l8F098ti1fThPVkUgoehgy1iyovTXyqJg6rojI0juIH7fKfc/UpfO+eLMhsquhH1KNjkCTD2CkdUfcsEU7B15j15p1OyGeg5/tEbRE67+NAWkfLSPp5R3tzGqjAh39w8n/8EWot9DBlHwk+qJp3rMFJZIvNtmXuvqnUW1NGpO1GIf78PBixyFwrJSo5syTfCiWIcw9YQ7MyvuyynAmsXeaI5+OP/GfmGpnvt5kMznu5q/nNf7LMV8n6x2+lmNlcPJiWr+KckPM9Nvntw2h/bl2qGnHDdOqNYI2N0VxzIm8wY6dWS3NIwlGl/usMjjebaELFP6rdHjpVG6pziJYjrBrws5DbqCxJ1EOeQdBiT8l1O6OUQqdOBVZH6/bj5MkLghWv0edHG8TJ4OGa69nMHDwTBOyuyRbTr5uWWFnESdyAGGbfGlJjuvSSzxgZViMSB2j8Ulk8x8MCqrupEK2i0UR6HrMNMJIDJsVcXTpIG6MIG3oAMCAReiga8EgazteAbcguseBpQnHeJihLFO78PfjI2Qop+MkH9jCOrvO9cQns1GzOKByoAbeP307QQq4zbaDF3EJlOC//4k4A6W4dc4k5lNeOgwR4LEvbIQKpdlljFiW8XUb+IgovsOlZEG0qFQgZY0I35I4Uvk/2dDkz06DGiDsQ0IENrRIMT4/7xgMSmkzspO2ojSbG5aKlbjK203QxMlkEoxb8WpJFZQggUqrLAr0q2graET
4.2.4. 服务端验证通过,返回资源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWrdYWb37ROEMMnP/4vTBwSe9hVe4XklXCWqFKG16d53aBUiTEem+lrFE8ycBgSln3zme63lKfSn9UHoNTlT100T86wxllsyrrMe437ElPcxI4pgcv9rNKU9aKg==
Date: Wed, 14 Nov 2007 08:27:18 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.3.
客户端用机器名访问服务器,客户端用户以客户端本地用户登录,用户名
/
口令跟服务器账户不匹配
4.3.1. 客户端IE申请页面
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
4.3.2. 服务端返回无授权回应
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.3. 客户端选择NTLM验证,请求质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.3.4. 服务器返回质询码
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomibnmMcRgPlTMAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.5. 客户端发送用登陆本机的账户加密后的质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaACY8afODxKsFAAAAAAAAAAAAAAAAAAAAAPfRbw7FX9gKolM+6+QhqsRU+MWS3jKLkQ==
4.3.6. 服务端返回无授权回应
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:58:13 GMT
4.3.7. 客户端及选选择NTLM验证,要求输入用户名和口令,再次请求质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.3.8. 服务端返回质询码
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomi3CZKUW4302QAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:59:09 GMT
4.3.9. 客户端发送使用前面输入账户的密码加密后的质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAIP0UwZaV4tAAAAAAAAAAAAAAAAAAAAAAMS9l9MtVOFPSz/JmjD+/7W2ssAdBrkvwQ==
4.3.10. 服务端验证通过,返回资源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 08:59:09 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
4.4.
客户端用机器名访问服务器,客户端用户以客户端本地用户登录,用户名
/
口令跟服务器账户匹配
4.4.1. 客户端IE申请页面
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
4.4.2. 服务端返回无授权回应
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
4.4.3. 客户端选择NTLM验证,请求质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
4.4.4. 服务器返回质询码
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomil8OZAC0QBhYAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
4.4.5. 客户端发送用登陆本机的账户加密后的质询码
GET /iisstart.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: logs:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAMQdxp9OWMESAAAAAAAAAAAAAAAAAAAAAMEj775cWctAx2Csmbgfq2afsGcop92oMA==
4.4.6. 服务端验证通过,返回资源
用户端登录的用户名和密码正好能匹配到服务端的一个用户和密码,验证通过。
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e35"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Nov 2007 09:11:09 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>
5、 集成验证总结
5.1.
客户端以
ip
地址访问服务器
不管客户端跟服务器是否在域、也不管客户端是否以域帐号登陆,只要客户端以ip地址访问服务器,那么客户端就会选择NTLM方式验证,并且不会直接发送客户端登录用户的用户名和密码给服务器,而是会弹出一个对话框要求用户输入用户名和口令,然后发送到服务端验证。
您可以避免在使用 IP 地址或名称中包含句点的企业内部网服务器上出现这种提示,方法是,在 Internet Explorer 的“本地 Intranet”设置中,列出包含 IP 地址的服务器,或是列出包含句点的服务器名称。可以通过依次单击“工具”、“Internet 选项”、“本地 Intranet”、“站点”、“高级”来访问“本地 Intranet”设置部分。然后在“将该网站添加到区域中”输入 http://127.0.0.1 或其他相关站点的 URL。
下面总结的都是在客户端以机器名访问服务器的情况。
5.2.
服务器在域,客户端以域帐号登陆
如果客户端的机器在域中,同时登陆用户又是以域用户登录,那么IE选择Kerberos验证方式。
5.3.
其他情况
IE
都选择采用
NTLM
验证方式。
出来上述的两种情况,其他情况,客户端都选择NTLM验证,并首先尝试把登录客户端用户的用户名和密码传送给服务器验证,如果验证通过了,被直接授权访问;如果验证没通过,客户端弹出对话框要求输入用户名和密码,然后再传送到服务端验证,直到验证通过。
集成 Windows 身份验证Kerberos的验证方式是 Intranet 环境中最好的身份验证方案,在这种用户拥有 Windows 域帐户,Kerberos验证不在网络上传递用户密码,只用传送一个用户验证票。NTLM要传送用户的密码,但是密码经过处理后派生出一个8字节的key加密质询码,也是比较安全的。
四、 基本身份验证
客户端IE请求服务端IIS的一个页面iisstart.htm。
IIS服务端设置:
l 不启用匿名访问
l 只启用基本身份验证
1、 客户端IE申请页面
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
2、 服务端返回无授权回应,并告知客户端要求基本身份验证
服务端设置的基本身份验证,所以这里返回的无授权回应的http头中包含 WWW-Authenticate: Basic 头,告诉客户端,服务端要求的是基本身份验证
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Basic realm="logs"
X-Powered-By: ASP.NET
Date: Mon, 19 Nov 2007 06:15:57 GMT
3、 客户端弹出对话框要求输入用户名和密码
GET /iisstart.htm HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)
Host: logs:81
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1
客户端把用户名和密码转换成base64编码后,直接发送到服务端。
发送到服务器的“Authorization: Basic”头里面的“YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1”部分就是用户的用户名和密码,经过base64解码后是这样的:administrator:szbti@1005
4、 服务端验证通过,返回资源
HTTP/1.1 200 OK
Content-Length: 167
Content-Type: text/html
Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT
Accept-Ranges: bytes
ETag: "bf2d54589726c81:e7d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 19 Nov 2007 06:16:34 GMT
<html>
<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">
</head>
<body bgcolor=white>
This is a simple page!
</body>
</html>

相关文章

最新评论