3.5 SP1 版中 HttpWebRequest 之 NTLM 驗證的變更Changes to NTLM authentication for HttpWebRequest in Version 3.5 SP1

已在 .NET Framework 版本 3.5 SP1 和更新版本中進行安全性變更,這些變更會影響 HttpWebRequestHttpListenerNegotiateStream 以及 System.Net 命名空間中的相關類別處理整合式 Windows 驗證的方式。Security changes were made in .NET Framework version 3.5 SP1 and later that affect how integrated Windows authentication is handled by the HttpWebRequest, HttpListener, NegotiateStream, and related classes in the System.Net namespace. 這些變更可能會影響使用這些類別提出 Web 要求並接收回應的應用程式,而且其中使用根據 NTLM 的整合式 Windows 驗證。These changes can affect applications that use these classes to make web requests and receive responses where integrated Windows authentication based on NTLM is used. 這項變更可能會影響設定成使用整合式 Windows 驗證的網頁伺服器和用戶端應用程式。This change can impact web servers and client applications that are configured to use integrated Windows authentication.

概觀Overview

整合式 Windows 驗證的設計可讓某些認證回應成為通用,這表示可以重複使用或轉寄它們。The design of integrated Windows authentication allows for some credential responses to be universal, meaning they can be re-used or forwarded. 如果不需要此特定設計功能,則驗證通訊協定應該執行目標特定資訊,以及通道特定資訊。If this particular design feature is not needed, then the authentication protocols should carry target specific information as well as channel specific information. 服務隨後可以提供延伸保護,確保認證回應包含服務特定資訊 (例如服務主體名稱 (SPN))。Services can then provide extended protection to ensure that credential responses contain service specific information such as a Service Principal Name (SPN). 在認證交換時利用此資訊,服務就能進一步免於惡意使用可能未正確取得的認證回應。With this information in the credential exchanges, services are able to better protect against malicious use of credential responses that might have been improperly obtained.

System.NetSystem.Net.Security 命名空間中的多個元件都會代表呼叫端應用程式執行整合式 Windows 驗證。Multiple components in the System.Net and System.Net.Security namespaces perform integrated Windows authentication on behalf of a calling application. 本節描述在使用整合式 Windows 驗證時新增擴充保護的 System.Net 元件變更。This section describes changes to System.Net components to add extended protection in their use of integrated Windows authentication.

變更Changes

與整合式 Windows 驗證搭配使用的 NTLM 驗證程序包含目的電腦所發出並傳回給用戶端電腦的挑戰。The NTLM authentication process used with integrated Windows authentication includes a challenge issued by the destination computer and sent back to the client computer. 除非連線是迴路連線 (例如,IPv4 位址 127.0.0.1),否則電腦在收到它自己產生的挑戰時,驗證會失敗。When a computer receives a challenge it generated itself, the authentication will fail unless the connection is a loop back connection (IPv4 address 127.0.0.1, for example).

存取在內部網頁伺服器上執行的服務時,通常會使用與 http://contoso/servicehttps://contoso/service 類似的 URL 存取服務。When accessing a service running on an internal Web server, it is common to access the service using a URL similar to http://contoso/service or https://contoso/service. "contoso" 名稱通常不是服務部署所在電腦的電腦名稱。The name "contoso" is often not the computer name of the computer on which the service is deployed. 使用 Active Directory、DNS、NetBIOS、本機電腦的 hosts 檔案 (例如,通常是 WINDOWS\system32\drivers\etc\hosts) 或本機電腦的 lmhosts 檔案 (例如,通常是 WINDOWS\system32\drivers\etc\lmhosts) 的 System.Net 和相關命名空間支援,以將名稱解析為位址。The System.Net and related namespaces support using Active Directory, DNS, NetBIOS, the local computer's hosts file (typically WINDOWS\system32\drivers\etc\hosts, for example), or the local computer's lmhosts file (typically WINDOWS\system32\drivers\etc\lmhosts, for example) to resolve names to addresses. 已解析名稱 "contoso",以將傳送至 "contoso" 的要求傳送至適當的伺服器電腦。The name "contoso" is resolved so that requests sent to "contoso" are sent to the appropriate server computer.

針對大型部署進行設定時,也經常會將單一虛擬伺服器名稱授與用戶端應用程式和終端使用者絕不會使用之基礎電腦名稱的部署。When configured for large deployments, it is also common for a single virtual server name to be given to the deployment with the underlying machine names never used by client applications and end users. 例如,您可能會呼叫 www.contoso.com 伺服器,但在內部網路上只需要使用 "contoso"。For example, you might call the server www.contoso.com, but on an internal network simply use "contoso". 此名稱稱為用戶端 Web 要求中的主機標頭。This name is called the Host header in the client web request. 根據 HTTP 通訊協定所指定,主機要求標頭欄位可指定所要求資源的網際網路主機和連接埠號碼。As specified by the HTTP protocol, the Host request-header field specifies the Internet host and port number of the resource being requested. 這項資訊取自使用者或參考資源所提供的原始 URI (通常是 HTTP URL)。This information is obtained from the original URI given by the user or referring resource (generally an HTTP URL). 在 .NET Framework 版本 4 上,用戶端也可以使用 Host 屬性來設定這項資訊。On .NET Framework version 4, this information can also be set by the client using the new Host property.

AuthenticationManager 類別控制 WebRequest 衍生類別和 WebClient 類別所使用的 Managed 驗證元件 (「模組」)。The AuthenticationManager class controls the managed authentication components ("modules") that are used by WebRequest derivative classes and the WebClient class. AuthenticationManager 類別提供屬性來公開以 URI 字串編製索引的 AuthenticationManager.CustomTargetNameDictionary 物件,讓應用程式提供要在驗證期間使用的自訂 SPN 字串。The AuthenticationManager class provides a property that exposes a AuthenticationManager.CustomTargetNameDictionary object, indexed by URI string, for applications to supply a custom SPN string to be used during authentication.

如果未設定 CustomTargetNameDictionary 屬性,版本 3.5 SP1 現在預設成指定 NTLM (NT LAN Manager) 驗證交換時 SPN 之要求 URL 中所使用的主機名稱。Version 3.5 SP1 now defaults to specifying the host name used in the request URL in the SPN in the NTLM (NT LAN Manager) authentication exchange when the CustomTargetNameDictionary property is not set. 要求 URL 中所使用的主機名稱可能不同於用戶端要求的 System.Net.HttpRequestHeader 中所指定的主機標頭。The host name used in the request URL may be different from the Host header specified in the System.Net.HttpRequestHeader in the client request. 要求 URL 中所使用的主機名稱可能不同於伺服器的實際主機名稱、伺服器的電腦名稱、電腦的 IP 位址或迴路位址。The host name used in the request URL may be different from the actual host name of the server, the machine name of the server, the computer's IP address, or the loopback address. 在這些情況下,Windows 會讓驗證要求失敗。In these cases, Windows will fail the authentication request. 若要解決這個問題,我們需要通知 Windows:用戶端要求的要求 URL 中所使用的主機名稱 (例如,"contoso") 實際上是本機電腦的替代名稱。To address the issue, we need to notify Windows that the host name used in the request URL in the client request ("contoso", for example) is actually an alternate name for the local computer.

有數種可行的方法可讓伺服器應用程式解決這項變更。There are several possible methods for a server application to work around this change. 建議的方法是將要求 URL 中所使用的主機名稱對應至伺服器登錄中的 BackConnectionHostNames 機碼。The recommended approach is to map the host name used in the request URL to the BackConnectionHostNames key in the registry on the server. BackConnectionHostNames 登錄機碼通常用來將主機名稱對應至迴路位址。The BackConnectionHostNames registry key is normally used to map a host name to a loopback address. 步驟如下所列。The steps are listed below.

若要指定對應至迴路位址且可連線至本機電腦上網站的主機名稱,請遵循下列步驟:To specify the host names that are mapped to the loopback address and can connect to Web sites on a local computer, follow these steps:

  1. 依序按一下 [開始] 和 [執行],鍵入 regedit.exe,然後按一下 [確定]。Click Start, click Run, type regedit, and then click OK.

  2. 在登錄編輯程式中,找到並按一下下列登錄機碼:In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  3. 以滑鼠右鍵按一下 MSV1_0,並指向 [新增],然後按一下 [多字串值]。Right-click MSV1_0, point to New, and then click Multi-String Value.

  4. 輸入 BackConnectionHostNames,然後按 ENTER。Type BackConnectionHostNames, and then press ENTER.

  5. 以滑鼠右鍵按一下 BackConnectionHostNames,然後按一下 [修改]。Right-click BackConnectionHostNames, and then click Modify.

  6. 在 [數值資料] 方塊中,鍵入主機名稱或本機電腦上網站的主機名稱 (要求 URL 中所使用的主機名稱),然後按一下 [確定]。In the Value data box, type the host name or the host names for the sites (the host name used in the request URL) that are on the local computer, and then click OK.

  7. 結束登錄編輯程式,然後重新啟動 IISAdmin 服務並執行 IISReset。Quit Registry Editor, and then restart the IISAdmin service and run IISReset.

較不安全的因應措施是停用迴圈檢查,如 https://support.microsoft.com/kb/896861 中所述。A less secure work around is to disable the loop back check, as described in https://support.microsoft.com/kb/896861. 這會停用反映攻擊的保護。This disables the protection against reflection attacks. 因此,最好只將這組替代名稱限制為預期電腦實際使用的替代名稱。So it is better to constrain the set of alternate names to only those you expect the machine to actually use.

另請參閱See also