{"id":11700,"date":"2025-03-31T11:01:47","date_gmt":"2025-03-31T02:01:47","guid":{"rendered":"https:\/\/chat-messenger.com\/?p=11700"},"modified":"2025-04-25T14:39:43","modified_gmt":"2025-04-25T05:39:43","slug":"windowsauthentication-loadbalancer-ssl","status":"publish","type":"post","link":"https:\/\/chat-messenger.com\/zh_tw\/\u90e8\u843d\u683c\/windowsauthentication\u8ca0\u8f09\u5e73\u8861\u5668ssl","title":{"rendered":"\u5982\u4f55\u914d\u7f6e IIS \u6574\u5408 Windows \u9a57\u8b49\u4ee5\u5728\u8ca0\u8f09\u5e73\u8861\u5668 + SSL \u74b0\u5883\u4e2d\u6210\u529f"},"content":{"rendered":"

\u95dc\u65bc\u6574\u5408 Windows \u9a57\u8b49<\/h2>\n\n\n\n

\u6574\u5408 Windows \u9a57\u8b49\u662f\u4e00\u7a2e\u7576 IIS \u548c\u4f7f\u7528\u8005\u5c6c\u65bc\u540c\u4e00\u500b Active Directory \u7db2\u57df\u6642\u81ea\u52d5\u5411 IIS \u63d0\u4f9b\u4f7f\u7528\u8005\u9a57\u8b49\u8cc7\u8a0a\u7684\u6a5f\u5236\u3002\u7576\u60a8\u4f7f\u7528 ASP.NET C# \u5efa\u7acb\u7db2\u7ad9\u6642\uff0c\u60a8\u53ef\u4ee5\u78ba\u5b9a\u4f7f\u7528\u8005\u662f\u5426\u5df2\u7d93\u904e\u9a57\u8b49\u4e26\u53d6\u5f97\u6709\u95dc\u5df2\u9a57\u8b49\u7684\u4f7f\u7528\u8005\u7684\u8cc7\u8a0a\u3002<\/p>\n\n\n\n

\u9019\u5141\u8a31\u4f7f\u7528\u8005\u5b58\u53d6 IIS \u8a17\u7ba1\uff08\u6216\u9023\u7d50\uff09\u7684 Web \u61c9\u7528\u7a0b\u5e8f\uff0c\u800c\u7121\u9700\u984d\u5916\u7684\u767b\u5165\u64cd\u4f5c\uff0c\u4e26\u652f\u63f4\u8207\u5176\u4ed6\u61c9\u7528\u7a0b\u5f0f\u4f3a\u670d\u5668\u7684 SSO \u6574\u5408\u3002<\/p>\n\n\n\n

\u4f46\u662f\uff0c\u5728 Web \u4f3a\u670d\u5668\uff08IIS\uff09\u4f4d\u65bc\u8ca0\u8f09\u5e73\u8861\u5668\u4e0b\u4e14\u901a\u8a0a\u4f7f\u7528 SSL\/TLS \u52a0\u5bc6\u7684\u74b0\u5883\u4e2d\uff0c\u6b64 Windows \u9a57\u8b49\u53ef\u80fd\u7121\u6cd5\u6b63\u5e38\u904b\u4f5c\u3002\u9019\u662f\u70ba\u4ec0\u9ebc\uff1f<\/span><\/p>\n\n\n\n

\n
\n

\u5982\u679c Windows \u9a57\u8b49\u6210\u529f\uff0c\u60a8\u5c07\u80fd\u5920\u7121\u7e2b\u5b58\u53d6\u8eab\u4efd\u9a57\u8b49\u7ad9\u9ede\uff0c\u4f46\u5982\u679c\u5931\u6557\uff0c\u5247\u6703\u986f\u793a\u767b\u5165\u64a5\u865f\u3002\u5982\u679c\u60a8\u672a\u80fd\u6b63\u78ba\u9a57\u8b49\uff0c\u60a8\u5c07\u6536\u5230 HTTP \u932f\u8aa4 401.1 \u2013 \u672a\u6388\u6b0a\u3002<\/p>\n<\/div>\n\n\n\n

\n
\"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n

\u91cd\u9ede\u662f Windows \u9a57\u8b49\u7684\u5de5\u4f5c\u539f\u7406<\/strong> \u548c \u8ca0\u8f09\u5e73\u8861\u5668\u64cd\u4f5c<\/strong> \u4f4d\u65bc\u3002<\/p>\n\n\n\n

NTLM \u662f\u4e00\u7a2e\u900f\u904e\u6bcf\u500b\u7528\u6236\u7aef\u548c\u4f3a\u670d\u5668\u4e4b\u9593\u7684\u55ae\u4e00 TCP \u9023\u7dda\u9032\u884c\u7684\u8cea\u8a62\/\u56de\u61c9\u9a57\u8b49\u65b9\u6cd5\u3002\u4f7f\u7528 Kerberos\uff0c\u7528\u6236\u7aef\u9084\u53ef\u4ee5\u6839\u64da\u670d\u52d9\u8b58\u5225\u78bc (SPN) \u53d6\u5f97\u7968\u8b49\u4e26\u5c07\u5176\u50b3\u9001\u7d66 IIS\u3002\u9019\u4e9b\u6191\u8b49\u900f\u904e HTTP \u6a19\u982d\u50b3\u9001\uff08\u6388\u6b0a\uff1a\u5354\u5546...<\/code> \u4ea4\u6613\u5c31\u662f\u63a1\u7528\u9019\u7a2e\u65b9\u6cd5\u9032\u884c\u7684\u3002\u4f46\u662f\uff0c\u7b2c 7 \u5c64\u8ca0\u8f09\u5e73\u8861\u5668\u6703\u5728\u81ea\u5df1\u7684\u88dd\u7f6e\u4e0a\u7d42\u6b62\u4f86\u81ea\u5ba2\u6236\u7aef\u7684 HTTPS \u9023\u63a5\uff0c\u5206\u6790\u5167\u5bb9\uff0c\u4e26\u5c07\u5176\u4f5c\u70ba\u65b0\u8acb\u6c42\u8f49\u767c\u5230\u5f8c\u7aef IIS\u3002\u5728\u6b64\u904e\u7a0b\u4e2d\u5ba2\u6236\u7aef\u548c IIS \u4e4b\u9593\u7684\u7aef\u5c0d\u7aef TLS \u6703\u8a71\u7d42\u6b62\u3002<\/span>\u6b64\u5916\uff0cNTLM \u7b49\u6301\u4e45\u6027\u8eab\u5206\u9a57\u8b49\u8cc7\u8a0a\u4e0d\u6703\u88ab\u7e7c\u627f\uff0c\u5f9e\u800c\u5c0e\u81f4\u8eab\u4efd\u9a57\u8b49\u904e\u7a0b\u5931\u6557\u3002<\/p>\n\n\n\n

\u9451\u65bc\u4e0a\u8ff0\u80cc\u666f\uff0c\u672c\u6587 \u300d\u8ca0\u8f09\u5e73\u8861\u5668<\/strong><\/strong> + \u8a2d\u5b9a IIS \u6574\u5408 Windows \u9a57\u8b49\u4ee5\u5728 SSL \u74b0\u5883\u4e2d\u6210\u529f<\/strong> \u6211\u5011\u5c07\u8003\u616e\u4ee5\u4e0b\u5167\u5bb9\u3002\u6211\u5011\u5c07\u5217\u51fa\u4e09\u7a2e\u5178\u578b\u7684\u914d\u7f6e\u6a21\u5f0f\uff0c\u4e26\u91dd\u5c0d\u6bcf\u7a2e\u6a21\u5f0f\u89e3\u91cb\u662f\u5426\u652f\u63f4 Windows \u9a57\u8b49\u3001\u652f\u63f4\u7684\u6280\u8853\u539f\u56e0\u4ee5\u53ca\u914d\u7f6e\u7684\u512a\u7f3a\u9ede\u3002<\/p>\n\n\n\n

\u5404\u914d\u7f6e\u65b9\u6848\u6280\u8853\u9a57\u8b49<\/h2>\n\n\n\n

\u2460\uff1aL7\u8ca0\u8f09\u5e73\u8861\u5668SSL\u7d42\u6b62+\u8f49\u9001\u5230IIS\uff0880\u6216443\uff09<\/h3>\n\n\n\n

\u7528\u6236\u7aef \u2500\u2500HTTPS\u2500\u2500\u25b6 L7 \u8ca0\u8f09\u5e73\u8861\u5668\uff08SSL \u7d42\u6b62\uff09\u2500\u2500HTTP(S)\u2500\u2500\u25b6 IIS\uff0880 \u6216 443\uff09<\/p>\n\n\n\n

\u53ef\u7528\u6027<\/strong><\/h4>\n\n\n\n

\u6b64\u914d\u7f6e\u4e0d\u652f\u63f4 Windows \u8eab\u4efd\u9a57\u8b49\u3002\u7121\u6cd5\u4f7f\u7528<\/span>\u662f<\/p>\n\n\n\n

\u539f\u56e0<\/strong><\/h4>\n\n\n\n

\u7531\u65bc\u5ba2\u6236\u7aef\u8207 IIS \u4e4b\u9593\u7684 TLS \u6703\u8a71\u5728\u8ca0\u8f09\u5e73\u8861\u5668\u4e0a\u4e00\u65e6\u7d42\u6b62\uff0c\u7121\u6cd5\u5be6\u73fe\u7aef\u5c0d\u7aef\u6191\u8b49\u50b3\u8f38<\/span>\u9019\u5c31\u662f\u539f\u56e0\u3002 L7 \u8ca0\u8f09\u5e73\u8861\u5668\u89e3\u5bc6\u6536\u5230\u7684 HTTPS \u6d41\u91cf\u4e26\u4ee3\u8868\u7528\u6236\u7aef\u5b58\u53d6 IIS\u3002\u6b64\u6642\uff0c\u5ba2\u6236\u7aef\u61c9\u8a72\u767c\u9001 \u6388\u6b0a\u65b9\u5f0f\uff1a\u5354\u5546<\/code> \u6a19\u982d\uff08\u5305\u62ec Kerberos \u7968\u8b49\u548c NTLM \u4ee4\u724c\u7684\u8eab\u4efd\u9a57\u8b49\u6a19\u982d\uff09\u5c07\u7121\u6cd5\u6b63\u78ba\u5230\u9054 IIS\u3002\u5177\u9ad4\u4f86\u8aaa\uff0c\u4f7f\u7528 NTLM\uff0cIIS \u5411\u521d\u59cb\u8acb\u6c42\u767c\u9001\u7684\u8eab\u4efd\u9a57\u8b49\u8cea\u8a62\u56de\u61c9 (\u842c\u7dad\u7db2\u8a8d\u8b49<\/code>\uff09\u5ba2\u6236\u7aef\u767c\u9001\u91cd\u65b0\u8acb\u6c42\uff0c\u4f46\u900f\u904e LB\u672a\u7dad\u6301\u76f8\u540c\u7684 TCP \u6703\u8a71<\/span>\u56e0\u6b64\uff0cNTLM \u63e1\u624b\u6c92\u6709\u6210\u529f\u3002<\/p>\n\n\n\n

\u4e8b\u5be6\u4e0a\uff0c\u5373\u4f7f\u5728 AWS \u74b0\u5883\u4e2d\uff0cWindows \u9a57\u8b49\u4e5f\u4e0d\u9069\u7528\u65bc\u61c9\u7528\u7a0b\u5f0f\u8ca0\u8f09\u5e73\u8861\u5668 (ALB) \u6216 HTTP \u5075\u807d\u5668\uff0c\u9700\u8981\u7db2\u8def\u8ca0\u8f09\u5e73\u8861\u5668 (NLB) \u7b49 TCP \u7d1a LB\u3002\u53c3\u8003<\/a>]\u3002\u6b64\u5916\uff0cAzure \u61c9\u7528\u7a0b\u5f0f\u9598\u9053 v2 \u4e0d\u652f\u63f4\u5c07\u5305\u62ec\u6574\u5408\u5f0f\u9a57\u8b49\u5728\u5167\u7684 HTTP \u6a19\u982d\u50b3\u905e\u5230\u5f8c\u7aef\u3002\u53c3\u8003<\/a>]\u3002<\/p>\n\n\n\n

\u4e8b\u5be6\u4e0a\uff0c\u5b83\u4e26\u672a\u5f97\u5230\u6bcf\u500b\u96f2\u7aef\u4f9b\u61c9\u5546\u7684\u8a17\u7ba1 LB \u7684\u5b98\u65b9\u652f\u6301\uff0c\u9019\u8868\u660e\u5728 L7 \u5c64\u7d1a\u7dad\u8b77 Windows \u9a57\u8b49\u975e\u5e38\u56f0\u96e3\u3002<\/p>\n\n\n\n

\u2461\uff1aL4\u8ca0\u8f09\u5e73\u8861\u5668\uff08TLS\u76f4\u901a\uff09+IIS\u8f49\u767c<\/h3>\n\n\n\n

\u5ba2\u6236\u7aef \u2500\u2500HTTPS\u2500\u2500\u25b6 L4 \u8ca0\u8f09\u5e73\u8861\u5668 (TLS \u76f4\u901a) \u2500\u2500HTTPS\u2500\u2500\u25b6 IIS (443)<\/p>\n\n\n\n

\u53ef\u7528\u6027<\/strong><\/h4>\n\n\n\n

\u6b64\u914d\u7f6e\u4f7f\u7528 Windows \u8eab\u4efd\u9a57\u8b49\u3002\u76f8\u5bb9\u7684<\/span>\u662f<\/p>\n\n\n\n

\u539f\u56e0<\/strong><\/h4>\n\n\n\n

\u7531\u65bc L4 \u8ca0\u8f09\u5e73\u8861\u5668\uff08\u5728 OSI \u7b2c 4 \u5c64\u904b\u884c\u7684 LB\uff09\u5728 TCP \u7b49\u7d1a\u4e2d\u7e7c\u8cc7\u6599\u5305\uff0c\u5ba2\u6236\u7aef\u548c IIS \u4e4b\u9593\u7684 TLS \u6703\u8a71\u662f\u7aef\u5c0d\u7aef\u7dad\u8b77\u7684<\/span>\u5c07\u6703\u5b8c\u6210\u3002\u8ca0\u8f09\u5e73\u8861\u5668\u4e0d\u6703\u7d42\u6b62\u52a0\u5bc6\uff0c\u800c\u53ea\u662f\u7c21\u55ae\u5730\u5c07 TCP \u9023\u7dda\u672c\u8eab\u5206\u9001\u5230\u6bcf\u500b\u4f3a\u670d\u5668\uff0c\u56e0\u6b64\u7dad\u6301\u4e86 NTLM \u9a57\u8b49\u6240\u9700\u7684\u300c\u5728\u540c\u4e00\u500b TCP \u9023\u7dda\u4e0a\u9032\u884c\u901a\u8a0a\u300d\u3002\u81f3\u65bc Kerberos\uff0c\u5f9e\u5ba2\u6236\u7aef\u7684\u89d2\u5ea6\u4f86\u770b\uff0c\u5b83\u53ef\u4ee5\u88ab\u91cd\u73fe\uff0c\u5c31\u597d\u50cf\u5ba2\u6236\u7aef\u76f4\u63a5\u9023\u63a5\u5230 IIS\uff08\u670d\u52d9\uff09\u7684 FQDN \u4e00\u6a23\uff0c\u56e0\u6b64\u53ea\u8981\u9069\u7576\u5730\u8a2d\u5b9a SPN\uff0c\u57fa\u65bc\u7968\u8b49\u7684\u8eab\u4efd\u9a57\u8b49\u5c31\u6703\u6309\u539f\u6a23\u9032\u884c\u3002 AWS NLB \u548c\u7d93\u5178 LB TCP \u5075\u807d\u5668\u6a21\u5f0f\u3001Azure \u5167\u90e8\u8ca0\u8f09\u5e73\u8861\u5668\u3001F5 L4 \u6a21\u5f0f\u7b49\u5c6c\u65bc\u6b64\u985e\uff08\u5176\u4ed6\u5305\u62ec HAProxy TCP \u6a21\u5f0f\u548c nginx \u6d41\uff09\uff0c\u4e26\u4e14\u53ef\u4ee5\u900f\u904e Windows \u6574\u5408\u9a57\u8b49\u3002<\/p>\n\n\n\n

\u597d\u5904<\/strong><\/h4>\n\n\n\n

\u5f9e\u5ba2\u6236\u7aef\u5230\u4f3a\u670d\u5668\u7684 TLS \u6703\u8a71\u4e0d\u6703\u4e2d\u65b7\u3002Windows \u9a57\u8b49\u5354\u5b9a\u7e7c\u7e8c\u6b63\u5e38\u904b\u4f5c<\/span>\u80fd\u3002 NTLM \u4e09\u6b21\u63e1\u624b\u4e5f\u5728\u55ae\u4e00\u9023\u7dda\u5167\u5b8c\u6210\uff0c\u4e26\u4e14 Kerberos \u7968\u8b49\u88ab\u5f8c\u7aef\u4f3a\u670d\u5668\u6b63\u78ba\u63a5\u6536\u3002\u6b64\u5916\uff0c\u7531\u65bcLB\u662fL4\u64cd\u4f5c\uff0c\u56e0\u6b64\u5176\u958b\u92b7\u8f03\u4f4e\uff0c\u4e26\u4e14\u53ef\u4ee5\u9810\u671f\u5be6\u73fe\u9ad8\u541e\u5410\u91cf\u3002<\/p>\n\n\n\n

\u8d4f\u7f5a<\/strong><\/h4>\n\n\n\n

\u914d\u7f6e L4 \u8ca0\u8f09\u5e73\u8861\u5668\u7684\u6700\u5927\u6311\u6230\u662f\u7121\u6cd5\u57f7\u884c\u8a73\u7d30\u7684\u57fa\u65bc\u8def\u5f91\u6216\u57fa\u65bc\u4e3b\u6a5f\u540d\u7684\u8def\u7531\u3002\u4f8b\u5982\uff0c\u5728 URL \u8def\u5f91\u4e2d\uff08\u4f8b\u5982\/api<\/code>,,\/\u804a\u5929<\/code>\u5c07\u6bcf\u500b\u8acb\u6c42\uff08\u6216\u591a\u500b\u8acb\u6c42\uff09\u5206\u767c\u5230\u4e0d\u540c\u7684\u5f8c\u7aef\u4f3a\u670d\u5668\u662f\u53ea\u6709 L7\uff08HTTP\uff09\u624d\u80fd\u5be6\u73fe\u7684\u529f\u80fd\uff0c\u800c L4\uff08TCP\uff09\u5247\u7121\u6cd5\u5be6\u73fe\u3002<\/p>\n\n\n\n

\u56e0\u6b64\uff0c\u6839\u64da\u7cfb\u7d71\u9700\u6c42\uff0c\u53ef\u80fd\u9700\u8981\u6e96\u5099\u591a\u500b FQDN\uff0c\u4e26\u5728\u8ca0\u8f09\u5e73\u8861\u5668\u5167\u70ba\u4e0d\u540c\u7528\u9014\uff08Web \u4f3a\u670d\u5668\u3001\u7528\u65bc Windows \u9a57\u8b49\u7684\u4f3a\u670d\u5668\u7b49\uff09\u6307\u6d3e\u4e0d\u540c\u7684\u865b\u64ec\u4f3a\u670d\u5668\uff0c\u9019\u6703\u5e36\u4f86\u4f7f\u8a2d\u5b9a\u66f4\u52a0\u56f0\u96e3\u7684\u7f3a\u9ede\u3002<\/p>\n\n\n\n

\u5177\u9ad4\u4f86\u8aaa\uff0c\u7576\u4f7f\u7528 FQDN\uff08\u5b8c\u5168\u9650\u5b9a\u7db2\u57df\u540d\u7a31\uff09\u5b58\u53d6 Windows \u9a57\u8b49\u9801\u9762\u6642\uff0c SPN \u8a3b\u518a<\/a> \u76f8\u7576\u8907\u96dc\uff0c\u8acb\u53c3\u898b\u4e0b\u6587\u3002<\/p>\n\n\n

\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\u7528\u4e8e\u7f51\u7edc\u4f1a\u8bae\u7684\u804a\u5929\u548c\u4fe1\u4f7f\u529f\u80fd<\/span>\n\t\t\t\t\t
\"\"<\/figure><\/div>\t\t\t\t\t
\n\t\t\t\t\t\t\u5728 L4 \u8ca0\u8f09\u5e73\u8861\u5668\u74b0\u5883\u4e2d\u6210\u529f\u9032\u884c IIS \u6574\u5408 Windows \u9a57\u8b49\u7684 IIS \u8a2d\u5b9a | Web \u6703\u8b70\u804a\u5929\u548c Messenger<\/a>\n\t\t\t\t\t\t\u6982\u8ff0\u672c\u6587\u4ecb\u7d39\u5982\u4f55\u5728 L4 \u8ca0\u8f09\u5e73\u8861\u5668 + SSL \u7d42\u6b62\u74b0\u5883\u4e2d\u7684 IIS \u4e2d\u8a2d\u5b9a\u6574\u5408 Windows \u9a57\u8b49 (IWA)\u3002\u6b64\u65b9\u6cd5\u2026<\/span>\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\n\n

\u53e6\u5916\uff0c\u8acb\u6ce8\u610f\uff0cWindows \u9a57\u8b49\u6240\u9700\u7684\u4ee5\u4e0b\u8a2d\u5b9a\u5747\u8a2d\u5b9a\u8ca0\u8f09\u5e73\u8861\u5668\u7684 FQDN\u3002<\/p>\n\n\n\n