IIS La unión con la autenticación de Windows

Question

tengo un localwebsite (http: // localhost/testsite) con autenticación ventanas -> funciona bien

ahora he cambiado la unión del sitio a una URL (htt: // testsite.blablabla.biz) con autenticación de Windows -> HTTP Error 401.1 - No autorizado No tiene permiso para ver este directorio o página con las credenciales que ha proporcionado.

¿Qué estoy haciendo mal? Ya busqué mucho en google, pero nada realmente ayuda. Creo que tiene algo que ver con DOMAINNAMES o algo así, pero no estoy seguro ... ¿Alguien que pueda ayudar?

Answer 1

Tenga en cuenta que al cambiar el enlace, es posible que su URL anterior no vuelva a acceder a este sitio en los navegadores web. Aprende sobre lo que es un enlace y debes averiguar si hiciste algo mal.

Así que el sitio que le da este 401.1 puede ser completamente otro sitio.

Answer 2

Windows tiene una función de seguridad para realizar comprobaciones de bucle invertido, que está diseñada para ayudar a prevenir ataques de reflejo en su computadora.

Cuando utiliza un encabezado de host personalizado para explorar un sitio web local alojado en una computadora que ejecuta IIS, recibirá este mensaje de error si el sitio web usa autenticación de Windows y tiene un nombre asignado a la dirección de bucle local .

Hay dos métodos para evitar este problema:

1) Especificar los nombres de host, o

2) Desactivar la comprobación de bucle invertido

Microsoft KB Article ID: 896861

Answer 3

Éstos son los comandos de PowerShell que Escribí para administrar la configuración de verificación de bucle invertido. Incluye un código que intenta obtener los nombres de host para todos los sitios web de IIS que usan la Autenticación de Windows y establece los nombres de host de conexión remota.

Import-Module WebAdministration 

function Add-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Adds the back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Adds the hostname to the list of back connection hostnames that will bypass the server loopback check. Back connection host names 
    can be used to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. 
    .EXAMPLE 
    Add-BackConnectionHostName mywebsite.mydomain.tld 
    .EXAMPLE 
    Add-BackConnectionHostName mywebsite1.mydomain.tld, mywebsite2.mydomain.tld 
    .PARAMETER Hostname 
    The Hostname to add to the back connection hostnames list. 
    .LINK 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, Mandatory = $true)] 
     [string] $Hostname 
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 
     $propertyValues = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       $property = New-ItemProperty $keyPath -Name $propertyName -Value $null -PropertyType ([Microsoft.Win32.RegistryValueKind]::MultiString) -ErrorAction Stop 

       Write-Verbose "Created the $($propertyName) property." 
      } 

      if ($property -ne $null) 
      { 
       $propertyValues = $property.$propertyName 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      foreach ($hostNameValue in $Hostname) 
      { 
       if ([string]::IsNullOrWhiteSpace($hostName) -eq $false -and $propertyValues -notcontains $hostNameValue) 
       { 
        $propertyValues += $hostNameValue 

        Write-Verbose "Added $($hostName) to the back connection hostnames." 
       } 
       else 
       { 
        Write-Verbose "Back connection host names already has an entry for $($hostName)." 
       } 
      } 
     } 
    } 

    end 
    { 
     if ($propertyValues -ne $null) 
     { 
      $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique 
      Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues 
     } 
    } 
} 

function Remove-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Removes the hostname from the list of back connection hostnames that will bypass the server loopback check. 
    .EXAMPLE 
    Remove-BackConnectionHostName mywebsite.mydomain.tld 
    .EXAMPLE 
    Remove-BackConnectionHostName mywebsite1.mydomain.tld, mywebsite2.mydomain.tld 
    .PARAMETER Hostname 
    The Hostname to remove from the back connection hostnames list. 
    .LINK 
    Add-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, Mandatory = $true)] 
     [string] $Hostname 
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 
     $propertyValues = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -ne $null) 
      { 
       $propertyValues = $property.$propertyName 
      } 
      else 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      foreach ($hostNameValue in $Hostname) 
      { 
       if ($propertyValues -contains $hostNameValue) 
       { 
        $propertyValues = $propertyValues | ? { $_ -ne $hostName } 

        Write-Verbose "Removed $($hostName) from the $($propertyName) property." 
       } 
       else 
       { 
        Write-Verbose "No entry for $($hostName) was found in the $($propertyName) property." 
       } 
      } 
     } 
    } 

    end 
    { 
     if ($property -ne $null) 
     { 
      $propertyValues = $propertyValues | ?{ [string]::IsNullOrWhiteSpace($_) -eq $false } | Sort -Unique 

      if ($propertyValues.Length -ne 0) 
      { 
       Set-ItemProperty $keyPath -Name $propertyName -Value $propertyValues 
      } 
      else 
      { 
       Remove-ItemProperty $keyPath -Name $propertyName 

       Write-Verbose "No entries remain after removing $($hostName). The $($propertyName) property was removed." 
      } 
     } 
    } 
} 

function Get-BackConnectionHostName 
{ 
    <# 
    .SYNOPSIS 
    Gets the list of back connection hostnames that will bypass the server loopback check. 
    .DESCRIPTION 
    Gets the back connection hostnames that will bypass the server loopback check. Back connection host names can be used to address 
    the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. 
    .EXAMPLE 
    Get-BackConnectionHostName 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" 
     $propertyName = "BackConnectionHostNames" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     $propertyValues = $null 

     if ($property -ne $null) 
     { 
      $propertyValues = $property.$propertyName 
     } 

     return $propertyValues 
    } 

    end 
    { 
    } 
} 

function Enable-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Enables the server loopback check. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Enables the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used to address 
    the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. 
    .EXAMPLE 
    Enable-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      Set-ItemProperty $keyPath -Name $propertyName -Value 0 
     } 
    } 

    end 
    { 
    } 
} 

function Disable-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Disables the server loopback check for all hostnames. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Disables the server loopback check for all hostnames. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used 
    to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for more details. 
    .EXAMPLE 
    Disable-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Get-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $true)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 

      if ($property -eq $null) 
      { 
       Write-Verbose "The $($propertyName) property was not found." 
      } 
     } 
    } 

    process 
    { 
     if ($property -ne $null) 
     { 
      Set-ItemProperty $keyPath -Name $propertyName -Value 1 
     } 
     else 
     { 
      $property = New-ItemProperty $keyPath -Name $propertyName -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Value 1 
     } 
    } 

    end 
    { 
    } 
} 

function Get-ServerLoopbackCheck 
{ 
    <# 
    .SYNOPSIS 
    Gets the status of the server loopback check. Enabled is the normal state for a Windows Server. 
    .DESCRIPTION 
    Gets the status of the server loopback check. Having the loopback check enabled is the normal state for a Windows Server. Disabling the loopback check can be used 
    to address the problem with IIS sites using Windows Authentication that is described in Microsoft KB896861. It is NOT the preferred method. See the KB article for 
    more details. 
    .EXAMPLE 
    Get-ServerLoopbackCheck 
    .LINK 
    Add-BackConnectionHostName 
    Remove-BackConnectionHostName 
    Get-BackConnectionHostName 
    Enable-ServerLoopbackCheck 
    Disable-ServerLoopbackCheck 
    "You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version" (http://support.microsoft.com/en-us/kb/896861) 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
    ) 

    begin 
    { 
     $keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" 
     $propertyName = "DisableLoopbackCheck" 
     $key = Get-Item $keyPath 
     $property = $null 

     if ($key -ne $null) 
     { 
      $property = Get-ItemProperty $keyPath -Name $propertyName -ErrorAction SilentlyContinue 
     } 
    } 

    process 
    { 
     $loopbackCheckStatus = "Enabled" 

     if ($property -ne $null) 
     { 
      switch ($property) 
      { 
       0 { $loopbackCheckStatus = "Enabled" } 
       1 { $loopbackCheckStatus = "Disabled" } 
       default { $loopbackCheckStatus = "Unknown" } 
      } 
     } 

     return $loopbackCheckStatus 
    } 

    end 
    { 
    } 
} 

function Get-WebsiteHostname 
{ 
    <# 
    .SYNOPSIS 
    Gets the hostnames for the IP addresses bound to a web site. 
    .DESCRIPTION 
    Gets the hostnames for the IP addresses bound to a web site. Where a host header exists, the host header is used; otherwise, the IP address is looked up 
    in DNS to see if a PTR record exists. 
    .EXAMPLE 
    Get-WebSiteHostname $webSite 
    .EXAMPLE 
    Get-WebSiteHostname -Name 'Default Web Site' 
    .EXAMPLE 
    Get-Website | Get-WebSiteHostname 
    .LINK 
    Get-Website 
    #> 
    [CmdletBinding(SupportsShouldProcess = $false)] 
    param 
    (
     [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true)] 
     [string] $Name 
    ) 

    process 
    { 
     $siteHostnames = @() 

     foreach ($webSiteName in $Name) 
     { 
      $bindings = Get-WebBinding -Name $Name 

      foreach ($binding in $bindings) 
      { 
       $bindingInfo = $binding.bindingInformation.Split(':') 
       $hostHeader = $bindingInfo[2] 
       $bindingInfoAddress = $null 
       $isValidIP = [System.Net.IPAddress]::TryParse($bindingInfo[0], [ref] $bindingInfoAddress) 
       $siteHostname = $null 

       if ($bindingInfo -eq '*') 
       { 
        Write-Warning "The $($webSiteName) web site has a binding address set to All Unassigned." 
       } 
       elseif ([string]::IsNullOrWhiteSpace($hostHeader) -eq $false) 
       { 
        $siteHostname = $hostHeader 
        Write-Verbose "The $($webSiteName) web site has a host header set to $($siteHostname)." 
       } 
       elseif ($isValidIP -eq $true) 
       { 
        $siteHostname = (Resolve-DnsName $bindingInfoAddress -DnsOnly PTR -ErrorAction SilentlyContinue).NameHost 

        if ($siteHostname -ne $null) 
        { 
         Write-Verbose "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) that resolves to $($siteHostname)." 
        } 
        else 
        { 
         Write-Warning "The $($webSiteName) web site has an IP Address $($bindingInfoAddress) with no PTR record." 
        } 
       } 
      } 

      if ($siteHostname -ne $null) 
      { 
       $siteHostnames += $siteHostname 
      } 
     } 

     return $siteHostnames | Sort -Unique 
    } 
} 

# Use the IIS administration commandlets and the ones above to do the 
# following: 
# 1. Get all the IIS web sites that use Windows authentication. 
# 2. Get the hostnames from either the host header setting or the 
#  DNS reverse lookup of the hostnames from the IP address. 
# 3. Add the hostnames to the BackConnectionHostNames registry key. 
# 4. Display the contents of the BackConnectionHostNames registry key. 

$windowsAuthenticatedWebSites = Get-Website | ?{ (Get-WebConfiguration -Filter '/system.web/authentication' -PSPath $_.PSPath).mode -eq 'Windows' } 
$webSiteHostnames = $windowsAuthenticatedWebSites | Get-WebsiteHostname 
$webSiteHostNames | Add-BackConnectionHostName 

Get-BackConnectionHostName