Intereting Posts
有关大型SharePoint场的统计信息和信息
`好'优先号码指南?
Exim无法发送到远程邮件服务器
在Fedora虚拟机中使用yum时,VirtualBox上的“下载目录空间不足”错误
为什么scp-scp工作,但没有标志没有scp
高速DKIM在邮件服务器上签名
跨几个交换机的思科VLAN
snmpd.conf磁盘指令的dskIndex顺序
iptables和EC2的“安全组”之间的主要区别是什么?
设置简单的Infiniband块存储(SRP或iSER)
绑定到虚拟接口的路由,Debian,以及事实之后如何确定细节
系统状态恢复
连接到单个GPO的多个安装程序?
Watchguard Firewall – 将公共IP连接到另一个接口?
Apache VirtualHost安装程序… 502错误的网关
Windows 2008 R2上的FTP服务(IIS 7.5)是否支持Kerberos身份validation?
我在IIS 7.5上configuration了http服务以进行Kerberos身份validation。 它工作正常。
我已经检查从Linux框
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/08/16 10:19:30 03/08/16 20:19:31 krbtgt/[email protected] renew until 03/15/16 10:19:30 03/08/16 10:20:00 03/08/16 20:19:31 HTTP/[email protected] renew until 03/15/16 10:19:30 简单的testing
# curl --trace-ascii - --negotiate -u : http://www.example.net Enter host password for user '[email protected]': == Info: About to connect() to www.example.net port 80 (#0) == Info: Trying 192.168.1.100... == Info: connected == Info: Connected to www.example.net (192.168.1.100) port 80 (#0) => Send header, 178 bytes (0xb2) 0000: GET / HTTP/1.1 0010: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 0050: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 008c: Host: www.example.net 00a3: Accept: */* 00b0: ... == Info: Connection #0 to host www.example.net left intact == Info: Issue another request to this URL: 'http://www.example.net/' == Info: Re-using existing connection! (#0) with host www.example.net == Info: Connected to www.example.net (192.168.1.100) port 80 (#0) == Info: Server auth using GSS-Negotiate with user '' => Send header, 1969 bytes (0x7b1) 0000: GET / HTTP/1.1 0010: Authorization: Negotiate YIIFJgYJKoZIhvcSAQICAQBuggUVMIIFEaADAgE 0050: FoQMCAQ6iBwMFAAAAAACjggQkYYIEIDCCBBygAwIBBaENGwtFWEFNUExFLk5FVKI 0090: iMCCgAwIBA6EZMBcbBEhUVFAbD2RjMS5leGFtcGxlLm5ldKOCA+AwggPcoAMCARK ... 070f: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 074f: NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 078b: Host: www.example.net 07a2: Accept: */* 07af: <= Recv header, 17 bytes (0x11) 0000: HTTP/1.1 200 OK <= Recv header, 25 bytes (0x19) 0000: Content-Type: text/html <= Recv header, 46 bytes (0x2e) 0000: Last-Modified: Sat, 05 Mar 2016 17:15:16 GMT <= Recv header, 22 bytes (0x16) 0000: Accept-Ranges: bytes ...
匿名身份validation已被禁用,Windows身份validation已在该站点和整个服务器的“身份validation”部分中启用。 我只离开协商:提供者部分中的Kerberos。 内核模式身份validation已被禁用。
- 从Windows 2008 R2删除FTP服务器后,仍然能够连接到FTP
- ProFTPD ESXI 6.0
- FTP帐户为每个系统用户
- 使用IP或IP和端口号的FTP连接
- FileZilla FTP错误 – 426连接closures; 中止传输“文件名”
我创build了FTP服务的SPNlogging
> setspn.exe -a ftp/ftp.example.net dc1 Registering ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net ftp/ftp.example.net Updated object
我可以看到新创build的SPNlogging
> Setspn.exe -L DC1 Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=example,DC=net: ftp/ftp.example.net Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/dc1.example.net HOST/DC1/EXAMPLE ldap/DC1/EXAMPLE ldap/dc1.example.net/ForestDnsZones.example.net ldap/dc1.example.net/DomainDnsZones.example.net DNS/dc1.example.net GC/dc1.example.net/example.net RestrictedKrbHost/dc1.example.net RestrictedKrbHost/DC1 HOST/dc1.example.net/EXAMPLE HOST/DC1 HOST/dc1.example.net HOST/dc1.example.net/example.net ldap/dc1.example.net/EXAMPLE ldap/DC1 ldap/dc1.example.net ldap/dc1.example.net/example.net E3514235-4B06-11D1-AB04-00C04FC2DCD2/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d/example.net ldap/f9c3624c-5f19-4e0a-8afa-d730b0bd4e6d._msdcs.example.net
但是,当我尝试连接到FTP服务,我得到以下错误
# curl --trace-ascii - --krb 5 -u : ftp://ftp.example.net == Info: About to connect() to ftp.example.net port 21 (#0) == Info: Trying 192.168.1.100... == Info: connected == Info: Connected to ftp.example.net (192.168.1.100) port 21 (#0) <= Recv header, 27 bytes (0x1b) 0000: 220 Microsoft FTP Service == Info: Trying GSSAPI... => Send header, 13 bytes (0xd) 0000: AUTH GSSAPI <= Recv header, 41 bytes (0x29) 0000: 504 Security mechanism not implemented. == Info: GSSAPI is not supported by the server. == Info: Logging in with password in cleartext! ...
我已经阅读了很多官方文档,但无法find可以为FTP服务configurationKerberos身份validation。
所以我的问题是:
- 有没有可能 如果是这样,我错过了什么?
- 如果这是不可能的,我可以使用Kerberos身份validation的FTP服务器?
PS在Windows身份validation部分的高级设置中,有一个选项 – 内核模式身份validation,具有以下说明
默认情况下,IIS启用内核模式身份validation,这可能会提高身份validation性能并防止configuration为使用自定义身份的应用程序池的身份validation问题。 最佳做法是,如果您的环境中使用了Kerberos身份validation,并且应用程序池configuration为使用自定义标识,则不要禁用此设置。
但是当我检查框时,我得到以下错误
我错过了什么? 因为在前面的屏幕上,IISbuild议不要禁用内核模式身份validation,尤其是对Kerberos身份validation。 所以我有点困惑。
提前致谢