月度归档:2011年11月

AsyncResult 自定义 IAsyncResult 类

    /// <summary>
    /// 异步请求对象
    /// </summary>
    public class AsyncResult : IAsyncResult
    {
        static readonly object lockObject = new object();
        private ManualResetEvent completeEvent = null;
       
        #region IAsyncResult 成员

        /// <summary>
        /// 初始化
        /// </summary>
        /// <param name="cb">回调方法</param>
        /// <param name="asyncState">用户状态数据</param>
        internal AsyncResult(AsyncCallback cb,object asyncState)
        {
            this.Callback = cb;
            this.AsyncState = asyncState;
            this.IsCompleted = false;
            this.ParentResult = null;
            this.Exception = null;
            this.State = null;
        }

        /// <summary>
        /// 获取用户状态数据
        /// </summary>
        public object AsyncState
        {
            get;
            internal set;
        }

        /// <summary>
        /// 获取或设置自定义状态数据
        /// </summary>
        public object State
        {
            get;
            set;
        }

        /// <summary>
        /// 异步等待句柄
        /// </summary>
        public System.Threading.WaitHandle AsyncWaitHandle
        {
            get
            {
                lock (lockObject)
                {
                    if (this.completeEvent == null)
                        this.completeEvent = new ManualResetEvent(false);

                    return this.completeEvent;
                }
            }
        }

        /// <summary>
        /// 完成同上
        /// </summary>
        public bool CompletedSynchronously
        {
            get { return false; }
        }

        /// <summary>
        /// 是否已完成
        /// </summary>
        public bool IsCompleted
        {
            get;
            private set;
        }

        #endregion

        /// <summary>
        /// 父级Result,如果存在
        /// </summary>
        public IAsyncResult ParentResult { get; set; }
       
        /// <summary>
        /// 获取异步完成调用
        /// </summary>
        public AsyncCallback Callback
        {
            get;
            internal set;
        }

        /// <summary>
        /// 获取或设置异步过程中产生的异常
        /// </summary>
        public Exception Exception { get; set; }

        /// <summary>
        /// Completes the request.
        /// </summary>
        public void Completed()
        {
            this.IsCompleted = true;
            lock (lockObject)
            {
                if (this.completeEvent != null)
                    this.completeEvent.Set();
            }

            if (this.Callback != null)
                this.Callback(this);
        }

        /// <summary>
        /// Completes the request.
        /// </summary>
        public void Completed(Exception ex) {
            this.Exception = ex;
            this.Completed();
        }
    }

windows firewall backup

防火墙的备份与恢复
服务器上能少装软件则少装,WINDOWS2003系统自带的防火墙自身已经很优良了,在个别需要的情形下,完整不需要在装置第三方软件。
默认情况下Windows系统自带的防火墙中增加的过滤规则信息都是保留在注册表中的,我们可以通过注册表相要害值的导入与导出实现备份和恢复系统自带防火墙过滤规则的功能。
第一步:通过“开始”->“运行”,输入regedit翻开注册表编纂器。
第二步:找到
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List这个键值。
第三步:将这个键值的所有内容导出成一个注册表文件,这样就实现了将系统自带防火墙过滤规则的备份工作。
第四步:假如以后要还原这些过滤规则的话只需要双击运行该注册表文件导入键值即可。
其余软件防火墙的备份与恢复也很简略。只须要备份规矩即可。基础都有规则导入导出功效,导出来就能够实现备份了。

SVN设置外部svn:external属性(TortoiseSVN端和服务器端)

  当你有两个svn仓库,一个库是您的产品代码,另外一个库是公共代码库。发布代码时,需要从两个库同时发布,可以通过svn external 的属性将公共库作为产品库的一个目录共同发布,并且只是一种引用关系。你需要设置客户端或者服务器svn属性,如果是客户端设置,只对客户端有效,如果设置服务器端,将对所有签入签出都有效。属性设置在父目录上(相对于存放外部仓库的目录),属性的值格式为: Directory RepositoryURL。
          例如:

 Property  Value
 svn:externals  Framework https://svn.example.com/Framework/trunk/Framework

  用TortoiseSVN设置的方法:

客服端
假设开发目录是project目录,你需要在libs目录下增加一个Framework目录(外部仓库)。那么右键点击libs目录(Framework的父目录),选择"TortoiseSVN","Properties",点击"New",从下拉菜单选择 "svn:externals",在键值的框内,输入Framework https://svn.example.com/Framework/trunk/Framework     ,关闭对话框。然后,右键选择libs目录,svn update,这时候,svn将在libs目录下创建一个叫Framework的目录,并从外部仓库检入这些外部仓库的文件到你本地的工作目录。

服务器端
假设开发目录是project目录,你需要在libs目录下增加一个Framework目录(外部仓库)。那么右键点击libs目录(Framework的父目录),选择"TortoiseSVN","Repo-Browser",在弹出框中选择libs目录选择"Show Properties",点击"New",输入"svn:externals",在键值的框内,输入Framework https://svn.example.com/Framework/trunk/Framework     ,关闭对话框。

 

----------------------------------------------------

Eclipse的SVN插件 Subclipse

Subclipse 是一个为 Eclipse IDE 添加 Subversion 支持的项目。支持几乎所有版本的Eclipse。

Eclipse的更新地址是:
http://subclipse.tigris.org/update_1.6.x
http://subclipse.tigris.org/update_1.8.x (支持Subversion 1.7.x)

 

PHP Headers Examples - 301,302, Redirects, 404, Javascript, Download, Authentication dialog Headers

301 moved permanently (redirect): 
<?php 
header
('HTTP/1.1 301 Moved Permanently');
header('Location: http://www.example.com');
die();
?> 

302 moved temporarily(redirect): 
<?php 
header
('Location: http://www.example.com');
die();
?> 

404 Page Not Found: 
<?php 
header
('HTTP/1.1 404 Not Found');
?> 

Service not avaliable: 
<?php 
header
('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 60');
?> 

CSS: 
<?php
header
('Content-Type: text/css');
?> 

Javascript header: 
<?php 
header
('Content-Type: application/javascript');
?> 

Images:
For JPEG(jpg): 
<?php 
header
('Content-Type: image/jpeg');
?> 

For PNG: 
<?php 
header
('Content-Type: image/png');
?> 

For BMP: 
<?php 
header
('Content-Type: image/bmp');
?> 

PDF (output pdf with php): 
<?php 
header
('Content-Type: application/pdf');
echo 
file_get_contents('filename.pdf');
?> 

Cache (force browsers not to cache files): 
<?php 
header
('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: pre-check=0, post-check=0, max-age=0');
header ('Pragma: no-cache'); 
?> 

Download dialog: 
<?php 
header
('Content-Disposition: attachment; filename=' urlencode($f));   
header('Content-Type: application/force-download');
header('Content-Type: application/octet-stream');
header('Content-Type: application/download');
header('Content-Description: File Transfer');            
header('Content-Length: ' filesize($f));
echo 
file_get_contents($f);
?> 

Authentication (force the browser to pop up a Username/Password input window) - only available when PHP is running as an Apache module: 
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    
header('WWW-Authenticate: Basic realm="The Realm"');
    
header('HTTP/1.0 401 Unauthorized');
    echo 
'If cancel is pressed this text shows';
    die();
} else {
//always escape your data//
$user='user';
$pass='pass';
   if(
$_SERVER['PHP_AUTH_USER']==$user && $_SERVER['PHP_AUTH_PW']==$pass){
    echo 
'Authorized';
}
}

一个例子理解C#位移

C#位移运算符

移:<<

移:>>

 

位移理解可能简单一些:其实就是数据转换成二进制的左右移动;右移左补0,左移右补0,后面多出来的部分去掉。


用乘除法去理解位移也可以:

     左位移:相当于

             左移1位相当于乘2,左移2位相当于乘4,左移3位相当于乘8,左移4位相当于乘16...类推

     位移:相当于

             右移1位相当于除2,右移2位相当于除4,右移3位相当于除8,右移4位相当于除16...类推

 

 

下面用一个曾经回答一个网友的提问来理解一下位移的运算

 

题目:把89右位移一位:

   string flag = Convert.ToString(89, 2);    //这是把你的89转为2进制数。。
  
  //flag结果:1011001
  //你要右位移,左边补个0,后面多出来一位去掉    int j = Convert.ToInt32("0101100", 2);    //再把2进制转化了10进制数。。

  //结果:44

  //位移就是这么简单

 

ISAPI_rewrite中文手册

配置:
在NT 2000
XP和2003平台上,在系统帐户下应该INETINFO程序应该与IIS5以共存模式过滤器运行。所以系统帐户应该给予对所有的ISAPI-
REWIRITE DLLS
和所有的HTTPD。INI文件至少可读权限,我们也推荐对给予系统帐户对于所有包括HTTPD。INI文件的文件夹的可写权限,这将允许产生HTTP。
PARSE。ERRORS文件,这些文件包含配置文件语法错误。对于PROXY模块也需要额外的权限,因为它将运行于连接池或HIGH-ISPLATED
应用模式,IIS帐户共享池和HIGH-ISOLATION池应被给予
对RWHELPERE。DLL的可读权限。缺省情况下IWAM-《计算机名》被用于所有的池,在相应的COM+应用设置中应借助
COM+ADMINISTRATION MMC SNAP-IN建立池帐户
配置文件格式化:

有两种形式的配置文件
-GLOBAL(SERVER-LEVEL)和INDIVIDUAL(SITE-LEVAL)文件,GLOBAL配置文件应被命名为HTTPD.INI并
出现在ISAPI-REWRITE安装目录中,文件的快捷方式通过开始菜单提供,INDIVIDUAL配置文件应名为HTTPD。INI并且能够出现在虚
拟站点的物理根目录中,两种类型的格式化是相同的并是标准的WINDOWS。INI文件,所有的指令都应该放在这一部分并且所有指令都应该以分隔线放置,
任何这一部分以外的文本都将被忽略

HTTPD.INI文件示例

[ISAPI_Rewrite]

# This is a comment

# 300 = 5 minutes
CacheClockRate 300
RepeatLimit 20

# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:.ini|.parse.errors) / [F,I,O]

# Block external access to the Helper ISAPI Extension
RewriteRule .*.isrwhlp / [F,I,O]

# Some custom rules
RewriteCond Host: (.+)

RewriteCond 指令

Syntax:(句法) RewriteCond TestVerb CondPattern [Flags]
这一指令定义一个条件规则,在 RewriteRule 或者 RewriteHeader或 RewriteProxy指令前预行RewriteCond指令,后面的规则 只有它的,模式匹配URI的当前状态并且额外的条件也被应用才会被应用。

TestVerb

Specifies verb that will be matched against regular e­xpression.
特别定义的动词匹配规定的表达式
TestVerb=(URL | METHOD | VERSION | HTTPHeaderName: | %ServerVariable) where:

URL - returns Request-URI of client request as described in RFC 2068 (HTTP 1.1);
返回客户端在RFC2068中描述的需求的Request-URI
METHOD - returns HTTP method of client request (OPTIONS, GET, HEAD, POST, PUT, Delete or TRACE);
返回客户端需求(OPTIONS, GET, HEAD, POST, PUT, Delete or TRACE)的HTTP方法
VERSION - returns HTTP version;
返回HTTP版本
HTTPHeaderName
- returns value of the specified HTTP header. HTTPHeaderName can be any
valid HTTP header name. Header names should include the trailing colon
":". If specified header does not exists in a client's request TestVerb
is treated as empty string.
返回特定义的HTTP头文件的值
HTTPHeaderName =
Accept:
Accept-Charset:
Accept-Encoding:
Accept-Language:
Authorization:
Cookie:
From:
Host:
If-Modified-Since:
If-Match:
If-None-Match:
If-Range:
If-Unmodified-Since:
Max-Forwards:
Proxy-Authorization:
Range:
Referer:
User-Agent:
Any-Custom-Header
得到更多的关于HTTP头文件的和他们的值的信息参考RFC2068

ServerVariable 返回特定义的服务器变量的值 。例如服务器端口,全部服务器变量列表应在IIS文档中建立,变量名应用%符预定;
CondPattern
The regular e­xpression to match TestVerb
规则表达式匹配TestVerb
[Flags]
Flags is a comma-separated list of the following flags:

O (nOrmalize)
Normalizes
string before processing. Normalization includes removing of an
URL-encoding, illegal characters, etc. This flag is useful with URLs and
URL-encoded headers
RewriteRule 指令
Syntax: RewriteRule Pattern FormatString [Flags]
这个指令可以不止发生一次,每个指令定义一个单独的重写规则,这些规则的定义命令很重要,因为这个命令在应用运行时规则是有用途的

I (ignore case)
不管大小写强行指定字符匹配,这个FLAG影响RewriteRule指令和相应的RewriteCond 指令
F (Forbidden)
对客户端做反应,停止REWRITING进程并且发送403错误,注意在这种情况下FORMATSTRING 是无用的并可以设置为任何非空字符串。
L (last rule)
不应用任何重写规则在此停止重写进程,使用这个FLAG以阻止当前被重写的URI被后面的规则再次重写
N (Next iteration)
强制REWRITINGENGINE调整规则目标并且从头重启规则检查(所有修改将保存),重启次数由RepeatLimit指定的值限制,如果这个数值超过N FLAG将被忽略
NS (Next iteration of the same rule)
以N标记工作不从相同的规则重启规则规则进程(例如强制重复规则应用),通过RepeatLimit指令指定一个反复实行某一规则的最大数目,
P (force proxy)
强制目的URI在内部强制为代理需求并且立即通过ISAPI扩展应付代理需求,必须确认代理字符串是一个有效的URI包括协议 主机等等否则代理将返回错误
R (explicit redirect)
强制服务器对客户端发出重定向指示即时应答,提供目的URI的新地址,重定向规则经常是最后规则
RP (permanent redirect)
几乎和[R]标记相同但是发布301HTTP状态而不是302HTTP状态代码
U (Unmangle Log)
当URI是源需求而不是重写需求时记载URI
O (nOrmalize)
在实行之前标准化字符串。标准化包括URL-ENCODING,不合法的字符的再移动等,这个标记对于URLS和URLS-ENDODED头是有用的
CL (Case Lower)
小写
CU (Case Upper)
大写
RewriteHeader directive
Syntax: RewriteHeader HeaderName Pattern FormatString [Flags]
这个指令是RewriteRule的更概括化变种,它不仅重写URL的客户端需求部分,而且重写HTTP头,这个指令不仅用于重写。生成,删除任何HTTP头,甚至改变客户端请求的方法
HeaderName
指定将被重写的客户头,可取的值与 RewriteCond 指令中TestVerb参数相同

Pattern
限定规则表达式以匹配Request-URI,
FormatString
限定将生成新的URI的FormatString
[Flags]
是一个下列FLAGS的命令分隔列表
I (ignore case)
不管大小写强行指定字符匹配,这个FLAG影响RewriteRule指令和相应的RewriteCond 指令
F (Forbidden)
对客户端做反应,停止REWRITING进程并且发送403错误,注意在这种情况下FORMATSTRING 是无用的并可以设置为任何非空字符串。
L (last rule)
不应用任何重写规则在此停止重写进程,使用这个FLAG以阻止当前被重写的URI被后面的规则再次重写
N (Next iteration)
强制REWRITINGENGINE调整规则目标并且从头重启规则检查(所有修改将保存),重启次数由RepeatLimit指定的值限制,如果这个数值超过N FLAG将被忽略

NS (Next iteration of the same rule)
以N标记工作不从相同的规则重启规则规则进程(例如强制重复规则应用),通过RepeatLimit指令指定一个反复实行某一规则的最大数目,

R (explicit redirect)
强制服务器对客户端发出重定向指示即时应答,提供目的URI的新地址,重定向规则经常是最后规则
RP (permanent redirect)
几乎和[R]标记相同但是发布301HTTP状态而不是302HTTP状态代码
U (Unmangle Log)
当URI是源需求而不是重写需求时记载URI
O (nOrmalize)
在实行之前标准化字符串。标准化包括URL-ENCODING,不合法的字符的再移动等,这个标记对于URLS和URLS-ENDODED头是有用的
CL (Case Lower)
小写
CU (Case Upper)
大写

要重移动头,FORMAT STRING模式应该生成一个空字符串,例如这一规则将从客户请求中重移代理信息
RewriteHeader User-Agent: .* $0
并且这一规则将把OLD-URL HEADER 加入请求中。
RewriteCond URL (.*)RewriteHeader Old-URL: ^$ $1
最后一个例子将通过改变请求方法定向所有的WEBDAV请求到/WEBDAV。ASP
RewriteCond METHOD OPTIONS
RewriteRule (.*) /webdav.asp?$1
RewriteHeader METHOD OPTIONS GET
RewriteProxy directive
Syntax: RewriteProxy Pattern FormatString [Flags]
强制目的URI在内部强制为代理需求并且立即通过ISAPI扩展应付代理需求,这将允许IIS作为代理服务器并且重路由到其他站点和服务器
Pattern
限定规则表达式以匹配Request-URI,
FormatString
限定将生成新的URI的FormatString
[Flags]
是一个下列FLAGS的命令分隔列表
D (Delegate security)
代理模式将试图以当前假冒的用户资格登陆远程服务器,
C (use Credentials)
代理模式将试图一在URL或基本授权头文件中指定的资格登陆远程服务器,用这个标记你可以使用http://user:password@host.com/path/ syntax 作为URL
F (Follow redirects)
缺省情况下ISAPI_Rewrite 将试图将MAP远程服务器返回的重定向指令到本地服务器命名空间,如果远程服务器返回重定向点到那台服务器其他的某个位置,ISAPI_Rewrite 将修改这一重定向指令指向本服务器名,这将避免用户看到真实(内部)服务器名称
使用F标记强制代理模式内部跟踪远程服务器返回的重定向指令,使用这个标记如果你根本不需要接受远程服务器的重定向指令,在WINHTTP设置中有重定向限制以避免远程重定向循环
I (ignore case)
不管大小写强行指定字符匹配
U (Unmangle Log)
当URI是源需求而不是重写需求时记载URI
O (nOrmalize)
在实行之前标准化字符串。标准化包括URL-ENCODING,不合法的字符的再移动等,这个标记对于URLS和URLS-ENDODED头是有用的
CacheClockRate directive
Syntax: CacheClockRate Interval
这个指令只在GLOBAL配置内容中出现,如果这个指令在SITE-LEVEL内容中出现将被忽略并把错误信息写入httpd.parse.errors 文件
ISAPI_Rewrite

caches每次在第一次加载时配置,使用这个指令你可以限定当一个特定站点从缓存中清理的不活动周期,把这个参数设置的足够大你可以强制
ISAPI_Rewrite 永不清理缓存,记住任何配置文件的改变将在下次请求后立即更新而忽略这个周期
Interval
限定特定配置被清理出缓存的不作为时间(以秒计),缺省值3600(1小时)
EnableConfig and DisableConfig directives
Syntax:
EnableConfig [SiteID|"Site name"]
DisableConfig [SiteID|"Site name"]
对所选站点激活或不激活SITE-LEVEL配置或者改变缺省配置,缺省SITE-LEVEL配置不激活,这个指令只出现在GLOBAL配置内容中
SiteID
Numeric metabase identifier of a site

Site name
Name of the site as it appears in the IIS console
不用参数使用这个命令将改变缺省配置到ENABLE/DISABLE配置进程
例子
下面例子将使配置仅作用于ID=1(典型是缺省站点)名字是MY SITE的站点
DisableConfig
EnableConfig 1
EnableConfig"My site"
下边例子将激活名称为SOMESITE配置因为它分割设置重载了缺省设置
EnableConfig"Some site"
DisableConfig
EnableRewrite and DisableRewrite directives
Syntax:
EnableRewrite [SiteID|"Site name"]
DisableRewrite [SiteID|"Site name"]
对所选站点激活或不激活重写或者改变缺省配置,缺省重写配置激活,这个指令只出现在GLOBAL配置内容中
SiteID
Numeric metabase identifier of a site

Site name
Name of the site as it appears in the IIS console.

不使用参数这个命令将全部激活或者不激活
RepeatLimit directive
Syntax: RepeatLimit Limit
这个指令可以出现在GLOBAL和SITE-LEVEL配置文件中,如果出现在GLOBAL配置文件中竟改变GLOBAL对于所有站点的限制,出现在SITE-LEVEL配置中竟只改变对于这个站点的限制并且这个限制不能超过GLOBAL限制
ISAPI_Rewrite在实行规则时允许循环,这个指令允许限制最大可能循环的数量,可以设置为0或1而不支持循环,
LIMIT
限制最大循环数量,缺省32
RFStyle directive
Syntax: RFStyle Old | New
Configuration Utility
ISAPI_Rewrite Full包括配置功用(可以在 ISAPI_Rewrite 程序组中启动),它允许你浏览测试状态并输入注册码(如果在安装过程中没有注册),并且调整部分与代理模式操作相关的产品功能,UTILITY是由三个页面组成的属性表
Trial page允许你浏览TIRAL状态并输入注册码(如果在安装过程中没有注册)
Settings page
这页包含对下列参数的编辑框

Helper URL
这个参数影响过滤器和代理模块之间的联系方式,它即可以是以点做前缀的文件扩展名(如 .isrwhlp)也可以是绝对路径,

一种情况下扩展名将追加在初始请求URI上并且代理模块竟通过SCRIPT MAP激活,缺省扩展名isrwhlp在安装进程中加在global
script map 中,如果你改变这个扩展名或者你的应用不继承global script map 设置你应该手动添加向script map
所需求的入口。这个应该有如下参数
Executable: An absolute path to the rwhelper.dll in the short form
Extension: Desired extension (.isrwhlp is default)
Verbs radio button: All Verbs
Script engine checkbox: Checked
Check that file exists checkbox: Unchecked
我们已经创建了一个WSH script proxycfg.vbs ,可以简单在一个a script maps中注册,她位于安装文件夹并且可以在命令行一如下方式运行
cscript proxycfg.vbs [-r] [MetabasePath]
Optional -r 强制注册扩展名
Optional MetabasePath parameter allows specification of the first metabase key to process. By default it is "/localhost/W3SVC".
要在所有现存的 script maps 中注册你可以以如下命令行激活 script
cscript proxycfg.vbs -r
第二种情况下你应该提供一个URI作为'Helper URL'的值,你也应该map 一个 ISAPI_Rewrite的安装文件夹作为美意个站点的虚拟文件家
注意:根据顾客反应,IIS5(也许包括IIS4)对长目录名有问题。所以我们强烈推荐使用短目录名
Worker threads limit
这个参数限制在代理扩展线程池中工作线程数,缺省为0意味着这个限制等于处理器数量乘以2
Active threads limit
这个参数限制当前运行线程数,这个数量不可大于"Worker threads limit". 缺省0意思是等于处理器数量
Queue size 这个参数定义最大请求数量,如果你曾经看到Queue timeout expired" 信息在 the Application event log中你可以增加这个参数
Queue timeout
这个参数定义你在内部请求队列中防止新请求的最大等待时间,如果你曾经看到Queue timeout expired" 信息在 the Application event log中你可以增加这个参数
Connect timeout
以毫秒设定代理模块连接超时
Send timeout
以毫秒设定代理模块发送超时
Receive timeout
以毫秒设定代理模块发送超时
About page.
It contains copyright information and a link to the ISAPI_Rewrite's web site.

Regular e­xpression syntax
这一部分覆盖了 ISAPI_Rewrite规定的表达句法
Literals
所有字符都是原意除了 ".", "*", "?", "+", "(", ")", "{", "}", "[", "]", "^" and "$".,这些字符在用“”处理时是原意,原意指一个字符匹配自身
Wildcard
The dot character "." matches any single character except null character and newline character
以下为句法
Repeats
A
repeat is an e­xpression that is repeated an arbitrary number of times.
An e­xpression followed by "*" can be repeated any number of times
including zero. An e­xpression followed by "+" can be repeated any
number of times, but at least once. An e­xpression followed by "?" may
be repeated zero or one times only. When it is necessary to specify the
minimum and maximum number of repeats explicitly, the bounds operator
"{}" may be used, thus "a{2}" is the letter "a" repeated exactly twice,
"a{2,4}" represents the letter "a" repeated between 2 and 4 times, and
"a{2,}" represents the letter "a" repeated at least twice with no upper
limit. Note that there must be no white-space inside the {}, and there
is no upper limit on the values of the lower and upper bounds. All
repeat e­xpressions refer to the shortest possible previous
sub-e­xpression: a single character; a character set, or a
sub-e­xpression grouped with "()" for example.

Examples:

"ba*" will match all of "b", "ba", "baaa" etc.
"ba+" will match "ba" or "baaaa" for example but not "b".
"ba?" will match "b" or "ba".
"ba{2,4}" will match "baa", "baaa" and "baaaa".
Non-greedy repeats
Non-greedy
repeats are possible by appending a '?' after the repeat; a non-greedy
repeat is one which will match the shortest possible string.

For example to match html tag pairs one could use something like:

"<s*tagname[^>]*>(.*?)<s*/tagnames*>"

In this case $1 will contain the text between the tag pairs, and will be the shortest possible matching string.

Parenthesis
Parentheses
serve two purposes, to group items together into a sub-e­xpression, and
to mark what generated the match. For example the e­xpression "(ab)*"
would match all of the string "ababab". All sub matches marked by
parenthesis can be back referenced using N or $N syntax. It is
permissible for sub-e­xpressions to match null strings. Sub-e­xpressions
are indexed from left to right starting from 1, sub-e­xpression 0 is
the whole e­xpression.

Non-Marking Parenthesis
Sometimes you
need to group sub-e­xpressions with parenthesis, but don't want the
parenthesis to spit out another marked sub-e­xpression, in this case a
non-marking parenthesis (?:e­xpression) can be used. For example the
following e­xpression creates no sub-e­xpressions:

"(?:abc)*"

Alternatives
Alternatives
occur when the e­xpression can match either one sub-e­xpression or
another, each alternative is separated by a "|". Each alternative is the
largest possible previous sub-e­xpression; this is the opposite
behaviour from repetition operators.

Examples:

"a(b|c)" could match "ab" or "ac".
"abc|def" could match "abc" or "def".
Sets
A
set is a set of characters that can match any single character that is a
member of the set. Sets are delimited by "[" and "]" and can contain
literals, character ranges, character classes, collating elements and
equivalence classes. Set declarations that start with "^" contain the
compliment of the elements that follow.

Examples:

Character literals:

"[abc]" will match either of "a", "b", or "c".
"[^abc] will match any character other than "a", "b", or "c".
Character ranges:

"[a-z]" will match any character in the range "a" to "z".
"[^A-Z]" will match any character other than those in the range "A" to "Z".
Character classes
Character
classes are denoted using the syntax "[:classname:]" within a set
declaration, for example "[[:space:]]" is the set of all whitespace
characters. The available character classes are:

alnum Any alpha numeric character.
alpha Any alphabetical character a-z and A-Z. Other characters may also be included depending upon the locale.
blank Any blank character, either a space or a tab.
cntrl Any control character.
digit Any digit 0-9.
graph Any graphical character.
lower Any lower case character a-z. Other characters may also be included depending upon the locale.
print Any printable character.
punct Any punctuation character.
space Any whitespace character.
upper Any upper case character A-Z. Other characters may also be included depending upon the locale.
xdigit Any hexadecimal digit character, 0-9, a-f and A-F.
word Any word character - all alphanumeric characters plus the underscore.
unicode Any character whose code is greater than 255, this applies to the wide character traits classes only.

There are some shortcuts that can be used in place of the character classes:

w in place of [:word:]
s in place of [:space:]
d in place of [:digit:]
l in place of [:lower:]
u in place of [:upper:]
Collating elements
Collating
elements take the general form [.tagname.] inside a set declaration,
where tagname is either a single character, or a name of a collating
element, for example [[.a.]] is equivalent to [a], and [[.comma.]] is
equivalent to [,]. ISAPI_Rewrite supports all the standard POSIX
collating element names, and in addition the following digraphs: "ae",
"ch", "ll", "ss", "nj", "dz", "lj", each in lower, upper and title case
variations. Multi-character collating elements can result in the set
matching more than one character, for example [[.ae.]] would match two
characters, but note that [^[.ae.]] would only match one character.

Equivalence classes
Equivalenceclassestakethegeneralform[=tagname=]
inside a set declaration, where tagname is either a single character,
or a name of a collating element, and matches any character that is a
member of the same primary equivalence class as the collating element
[.tagname.]. An equivalence class is a set of characters that collate
the same, a primary equivalence class is a set of characters whose
primary sort key are all the same (for example strings are typically
collated by character, then by accent, and then by case; the primary
sort key then relates to the character, the secondary to the
accentation, and the tertiary to the case). If there is no equivalence
class corresponding to tagname, then [=tagname=] is exactly the same as
[.tagname.].

To include a literal "-" in a set declaration then:
make it the first character after the opening "[" or "[^", the endpoint
of a range, a collating element, or precede it with an escape character
as in "[-]". To include a literal "[" or "]" or "^" in a set then make
them the endpoint of a range, a collating element, or precede with an
escape character.

Line anchors
An anchor is something that
matches the null string at the start or end of a line: "^" matches the
null string at the start of a line, "$" matches the null string at the
end of a line.

Back references
A back reference is a
reference to a previous sub-e­xpression that has already been matched,
the reference is to what the sub-e­xpression matched, not to the
e­xpression itself. A back reference consists of the escape character ""
followed by a digit "1" to "9", "1" refers to the first
sub-e­xpression, "2" to the second etc. For example the e­xpression
"(.*)1" matches any string that is repeated about its mid-point for
example "abcabc" or "xyzxyz". A back reference to a sub-e­xpression that
did not participate in any match, matches the null string. In
ISAPI_Rewrite all back references are global for entire RewriteRule and
corresponding RewriteCond directives. Sub matches are numbered up to
down and left to right beginning from the first RewriteCond directive of
the corresponding RewriteRule directive, if there is one.

Forward Lookahead Asserts
There are two forms of these; one for positive forward lookahead asserts, and one for negative lookahead asserts:

"(?=abc)" matches zero characters only if they are followed by the e­xpression "abc".
"(?!abc)" matches zero characters only if they are not followed by the e­xpression "abc".

Word operators
The following operators are provided for compatibility with the GNU regular e­xpression library.

"w"
matches any single character that is a member of the "word" character
class, this is identical to the e­xpression "[[:word:]]".
"W"
matches any single character that is not a member of the "word"
character class, this is identical to the e­xpression "[^[:word:]]".
"<" matches the null string at the start of a word.
">" matches the null string at the end of the word.
"" matches the null string at either the start or the end of a word.
"B" matches a null string within a word.
Escape operator
The escape character "" has several meanings.

The escape operator may introduce an operator for example: back references, or a word operator.
The
escape operator may make the following character normal, for example
"*" represents a literal "*" rather than the repeat operator.
Single character escape sequences:
The following escape sequences are aliases for single characters:

Escape sequence Character code Meaning
a 0x07 Bell character.
0x09 Tab character.
v 0x0B Vertical tab.
e 0x1B ASCII Escape character.
dd 0dd An octal character code, where dd is one or more octal digits.
xXX 0xXX A hexadecimal character code, where XX is one or more hexadecimal digits.
x{XX} 0xXX A hexadecimal character code, where XX is one or more hexadecimal digits, optionally a unicode character.
cZ z-@ An ASCII escape sequence control-Z, where Z is any ASCII character greater than or equal to the character code for '@'.

Miscellaneous escape sequences:
The
following are provided mostly for perl compatibility, but note that
there are some differences in the meanings of l L u and U:

Escape sequence Meaning
w Equivalent to [[:word:]].
W Equivalent to [^[:word:]].
s Equivalent to [[:space:]].
S Equivalent to [^[:space:]].
d Equivalent to [[:digit:]].
D Equivalent to [^[:digit:]].
l Equivalent to [[:lower:]].
L Equivalent to [^[:lower:]].
u Equivalent to [[:upper:]].
U Equivalent to [^[:upper:]].
C Any single character, equivalent to '.'.
X Match any Unicode combining character sequence, for example "ax 0301" (a letter a with an acute).
Q The begin quote operator, everything that follows is treated as a literal character until a E end quote operator is found.
E The end quote operator, terminates a sequence begun with Q.
What gets matched?
The
regular e­xpression will match the first possible matching string, if
more than one string starting at a given location can match then it
matches the longest possible string. In cases where their are multiple
possible matches all starting at the same location, and all of the same
length, then the match chosen is the one with the longest first
sub-e­xpression, if that is the same for two or more matches, then the
second sub-e­xpression will be examined and so on. Note that
ISAPI_Rewrite uses MATCH algorithm. The result is matched only if the
e­xpression matches the whole input sequence. For example:

RewriteCond URL ^/somedir/.* #will match any request to somedir directory and subdirectories, while
RewriteCond URL ^/somedir/ #will match only request to the root of the somedir.
Special note about "pathological" regular e­xpressions
ISAPI_Rewrite
uses a very powerful regular e­xpressions engine Regex++ written by Dr.
John Maddock. But as any real thing it's not ideal: There exists some
"pathological" e­xpressions which may require exponential time for
matching; these all involve nested repetition operators, for example
attempting to match the e­xpression "(a*a)*b" against N letter a's
requires time proportional to 2N. These e­xpressions can (almost) always
be rewritten in such a way as to avoid the problem, for example
"(a*a)*b" could be rewritten as "a*b" which requires only time linearly
proportional to N to solve. In the general case, non-nested repeat
e­xpressions require time proportional to N2, however if the clauses are
mutually exclusive then they can be matched in linear time - this is
the case with "a*b", for each character the matcher will either match an
"a" or a "b" or fail, where as with "a*a" the matcher can't tell which
branch to take (the first "a" or the second) and so has to try both.

Boost
1.29.0 Regex++ could detect "pathological" regular e­xpressions and
terminate theirs matching. When a rule fails ISAPI_Rewrite sends "500
Internal Server error - Rule Failed" status to a client to indicate
configuration error. Also the failed rule is disabled to prevent
performance losses
Format string syntax
In format strings, all characters are treated as literals except: "(", ")", "$", "", "?", ":".

To use any of these as literals you must prefix them with the escape character

The following special sequences are recognized:

Grouping:
Use
the parenthesis characters ( and ) to group sub-e­xpressions within the
format string, use ( and ) to represent literal '(' and ')'.

Sub-e­xpression expansions:
The following perl like e­xpressions expand to a particular matched sub-e­xpression:

$`
Expands to all the text from the end of the previous match to the start
of the current match, if there was no previous match in the current
operation, then everything from the start of the input string to the
start of the match.
$' Expands to all the text from the end of the match to the end of the input string.
$& Expands to all of the current match.
$0 Expands to all of the current match.
$N Expands to the text that matched sub-e­xpression N.

Conditional e­xpressions:
Conditional
e­xpressions allow two different format strings to be selected
dependent upon whether a sub-e­xpression participated in the match or
not:

?Ntrue_e­xpression:false_e­xpression

Executes true_e­xpression if sub-e­xpression N participated in the match, otherwise executes false_e­xpression.

Example:
suppose we search for "(while)|(for)" then the format string
"?1WHILE:FOR" would output what matched, but in upper case.

Escape sequences:
The following escape sequences are also allowed:

a The bell character.
f The form feed character.

The newline character.
The carriage return character.
The tab character.
v A vertical tab character.
x A hexadecimal character - for example x0D.
x{} A possible unicode hexadecimal character - for example x{1A0}
cx The ASCII escape character x, for example c@ is equivalent to escape-@.
e The ASCII escape character.
dd An octal character constant, for example 10
Examples例子
Emulating host-header-based virtual sites on a single site
例如你在两个域名注册www.site1.com 和 www.site2.com,现在你可以创建两个不同的站点而使用单一的物理站点。把以下规则加入到你的httpd.ini 文件
[ISAPI_Rewrite]

#Fix missing slash char on folders
RewriteCond Host: (.*)
RewriteRule ([^.?]+[^.?/]) http://$1$2/ [I,R]

#Emulate site1
RewriteCond Host: (?:www.)?site1.com
RewriteRule (.*) /site1$1 [I,L]

#Emulate site2
RewriteCond Host: (?:www.)?site2.com
RewriteRule (.*) /site2$1 [I,L]

现在你可以把你的站点放在/site1 和 /site2 目录中.

或者你可以应用更多的类规则:
[ISAPI_Rewrite]

#Fix missing slash char on folders
RewriteCond Host: (.*)
RewriteRule ([^.?]+[^.?/]) http://$1$2/ [I,R]

RewriteCond Host: (www.)?(.+)
RewriteRule (.*) /$2$3
为站点应该命名目录为 /somesite1.com, /somesite2.info, etc.
Using loops (Next flag) to convert request parameters
假如你希望有物理URL如 http://www.myhost.com/foo.asp?a=A&b=B&c=C 使用请求如 http://www.myhost.com/foo.asp/a/A/b/B/c/C 参数数量可以从两个请求之间变化

至少有两个解决办法。你可以简单的为每一可能的参数数量添加一个分隔规则或者你可以使用一个技术说明如下面的例子
ISAPI_Rewrite]
RewriteRule (.*?.asp)(?[^/]*)?/([^/]*)/([^/]*)(.*) $1(?2$2&:?)$3=$4$5 [NS,I]
这个规则将从请求的URL中抽取一个参数追加在请求字符的末尾并且从头重启规则进程。所以它将循环直到所有参数被移动到适当的位置,或者直到超过RepeatLimit
也存在许多这个规则的变种。但使用不同的分隔字符,例如。使用URLS如http://www.myhost.com/foo.asp~a~A~b~B~c~C 可以应中下面的规则:
ISAPI_Rewrite]
RewriteRule (.*?.asp)(?[^~]*)?~([^~]*)~([^~]*)(.*) $1(?2$2&:?)$3=$4$5 [NS,I]
Running servers behind IIS
假如我们有一个内网服务器运行IIS而几个公司服务器运行其他平台,这些服务器不能从INTERNET直接进入,而只能从我们公司的网络进入,有一个简单的例子可以使用代理标记映射其他服务器到IIS命名空间:
[ISAPI_Rewrite]
RewriteProxy /mappoint(.+) http://sitedomain$1 [I,U]
Moving sites from UNIX to IIS
这个规则可以帮助你把URL从 /~username 改变到 /username 和从 /file.html 改变到 /file.htm. 这个在你仅仅把你的站从UNIX移动到IIS并且保持搜索引擎和其他外部页面对老页面的连接时是有用的
[ISAPI_Rewrite]

#redirecting to update old links
RewriteRule (.*).html $1.htm
RewriteRule /~(.*) http://myserver/$1 [R]
Moving site location
许多网管问这样的问题:他们要重定向所有的请求到一个新的网络服务器,当你需要建立一个更新的站点取代老的的时候经常出现这样的问题,解决方案是用ISAPI_Rewrite 于老服务器中
[ISAPI_Rewrite]

#redirecting to update old links
RewriteRule (.+) http://newwebserver$1 [R]

Browser-dependent content
Dynamically generated robots.txt
robots.txt是一个搜索引擎用来发现能不能被索引的文件,但是为一个大站创建一个有许多动态内容的这个文件是很复杂的工作,我们可以写一个robots.asp script

现在使用单一规则生成 robots.txt
[ISAPI_Rewrite]

RewriteRule /robots.txt /robots.asp
Making search engines to index dynamic pages
站点的内容存储在XML文件中,在服务器上有一个/XMLProcess.asp 文件处理XML文件并返回HTML到最终用户,URLS到文档有如下形式
http://www.mysite.com/XMLProcess.asp?xml=/somdir/somedoc.xml
但是许多公共引擎不能索引此类文档,因为URLS包含问号(文档动态生成),
ISAPI_Rewrite可以完全消除这个问题
[ISAPI_Rewrite]

RewriteRule /doc(.*).htm /XMLProcess.asp?xml=$1.xml
现在使用如同http://www.mysite.com/doc/somedir/somedoc.htm的URL进入文档,搜索引擎将不知道不是somedoc.htm 文件并且内容是动态生成的
Negative e­xpressions (NOT
有时当模式不匹配你需要应用规则,这种情况下你可以使用在规则表达式中称为Forward Lookahead Asserts
例如你需要不使用IE把所有用户移动到别的地点
[ISAPI_Rewrite]
# Redirect all non Internet Explorer users
# to another location
RewriteCond User-Agent: (?!.*MSIE).*
RewriteRule (.*) /nonie$1
Dynamic authentification
例如我们在站点上有一些成员域,我们在这个域上需要密码保护文件而我们不喜欢用BUILT-IN服务器安全,这个情况下可以建立一个ASP脚本(称为proxy.asp),这个脚本将代理所有请求到成员域并且检查请求允许,这里有一个简单的模板你可以放进你自己的授权代码

现在我们要通过配置 ISAPI_Rewrite 通过这个页面代理请求:

[ISAPI_Rewrite]
# Proxy all requests through proxy.asp
RewriteRule /members(.+) /proxy.asp?http://mysite.com/members$1
Blocking inline-images (stop hot linking

假设我们在http://www.mysite.com/下有些页面有一些内联 GIF图片很好,他人可以不直接协商通过盗链到他们的页面上,我们不喜欢这样因为加大了服务器流量
当我们不能100%保护图片,我们至少可以在浏览器发送一个HTTP Referer header的地方限制这种情况
[ISAPI_Rewrite]
RewriteCond Host: (.+)
RewriteCond Referer: (?!http://1.*).*
RewriteRule .*.(?:gif|jpg|png) /block.gif [I,O]

IIS的各种身份验证详细测试

一、    IIS的身份验证概述.... 3

1     匿名访问... 3

2     集成windows身份验证... 3

2.1.    NTLM验证... 3

2.2.    Kerberos验证... 3

3     基本身份验证... 4

二、    匿名访问.... 4

三、    Windows集成验证.... 5

1     NTLM验证过程... 5

1.1.    客户端选择NTLM方式... 5

1.2.    服务端返回质询码... 5

1.3.    客户端加密质询码再次发送请求... 5

1.4.    服务端验证客户端用户和密码... 5

2     Kerberos验证过程... 6

2.1.    客户端选择Kerberos验证... 6

2.2.    服务端验证身份验证票... 6

3     客户端和服务器不在域中... 6

3.1.    客户端用ip地址访问服务... 6

3.1.1.     客户端IE申请页面... 6

3.1.2.     服务端返回无授权回应... 6

3.1.3.     客户端选择NTLM验证,要求输入用户名密码,请求质询码... 7

3.1.4.     服务器返回质询码... 7

3.1.5.     客户端发送使用前面输入账户的密码加密的质询码... 7

3.1.6.     服务端验证通过,返回资源... 8

3.2.    客户端用机器名访问服务器登录用户名/口令跟服务器匹配... 9

3.2.1.     客户端IE申请页面... 9

3.2.2.     服务端返回无授权回应... 9

3.2.3.     客户端选择NTLM验证,请求质询码... 9

3.2.4.     服务器返回质询码... 9

3.2.5.     客户端发送用登陆本机的账户加密后的质询码... 10

3.2.6.     服务端返回无授权回应... 10

3.2.7.     客户端及选选择NTLM验证,要求输入用户名和口令,再次请求质询码... 10

3.2.8.     服务端返回质询码... 11

3.2.9.     客户端发送使用前面输入账户的密码加密的质询码... 11

3.2.10.       服务端验证通过,返回资源... 11

3.3.    客户端用机器名访问服务器登录用户名/口令跟服务器匹配... 12

3.3.1.     客户端IE申请页面... 12

3.3.2.     服务端返回无授权回应... 12

3.3.3.     客户端选择NTLM验证,请求质询码... 12

3.3.4.     服务器返回质询码... 13

3.3.5.     客户端发送用登陆本机的账户加密后的质询码... 13

3.3.6.     服务端验证通过,返回资源... 13

4     客户端和服务器都在同一域中... 14

4.1.    客户端用机ip访问服务器... 14

4.1.1.     客户端IE申请页面... 14

4.1.2.     服务端返回无授权回应... 14

4.1.3.     客户端选择NTLM验证,要求输入用户名密码,请求质询码... 15

4.1.4.     服务器返回质询码... 15

4.1.5.     客户端发送使用前面输入账户的密码加密的质询码... 15

4.1.6.     服务端验证通过,返回资源... 16

4.2.    客户端用机器名访问服务器客户端用户以域账户登录... 16

4.2.1.     客户端IE申请页面... 16

4.2.2.     服务端返回无授权回应... 16

4.2.3.     客户端选择Kerberos验证,发送验证票到服务端... 17

4.2.4.     服务端验证通过,返回资源... 17

4.3.    客户端用机器名访问服务器客户端用户以客户端本地用户登录用户名/口令跟服务器账户不匹配    18

4.3.1.     客户端IE申请页面... 18

4.3.2.     服务端返回无授权回应... 18

4.3.3.     客户端选择NTLM验证,请求质询码... 19

4.3.4.     服务器返回质询码... 19

4.3.5.     客户端发送用登陆本机的账户加密后的质询码... 19

4.3.6.     服务端返回无授权回应... 20

4.3.7.     客户端及选选择NTLM验证,要求输入用户名和口令,再次请求质询码... 20

4.3.8.     服务端返回质询码... 20

4.3.9.     客户端发送使用前面输入账户的密码加密的质询码... 20

4.3.10.       服务端验证通过,返回资源... 21

4.4.    客户端用机器名访问服务器客户端用户以客户端本地用户登录,用户名/口令跟服务器账户匹配    21

4.4.1.     客户端IE申请页面... 21

4.4.2.     服务端返回无授权回应... 22

4.4.3.     客户端选择NTLM验证,请求质询码... 22

4.4.4.     服务器返回质询码... 22

4.4.5.     客户端发送用登陆本机的账户加密后的质询码... 22

4.4.6.     服务端验证通过,返回资源... 23

5     集成验证总结... 23

5.1.    客户端以ip地址访问服务器... 23

5.2.    服务器在域,客户端以域帐号登陆... 24

5.3.    其他情况IE都选择采用NTLM验证方式。... 24

四、    基本身份验证.... 24

1     客户端IE申请页面... 24

2     服务端返回无授权回应,并告知客户端要求基本身份验证... 24

3     户端弹出对话框要求输入用户名和密码... 25

4     服务端验证通过,返回资... 25

 

 

一、  IIS的身份验证概述

IIS具有身份验证功能,可以有以下几种验证方式:

1、 匿名访问

这种方式不验证访问用户的身份,客户端不需要提供任何身份验证的凭据,服务端把这样的访问作为匿名的访问,并把这样的访问用户都映射到一个服务端的账户,一般为IUSER_MACHINE这个用户,可以修改映射到的用户:

clip_image001

2、 集成windows身份验证

这种验证方式里面也分为两种情况

2.1.    NTLM验证

这种验证方式需要把用户的用户名和密码传送到服务端,服务端验证用户名和密码是否和服务器的此用户的密码一致。用户名用明码传送,但是密码经过处理后派生出一个8字节的key加密质询码后传送。

2.2.    Kerberos验证

这种验证方式只把客户端访问IIS的验证票发送到IIS服务器,IIS收到这个票据就能确定客户端的身份,不需要传送用户的密码。需要kerberos验证的用户一定是域用户。

每一个登录用户在登录被验证后都会被域中的验证服务器生成一个票据授权票(TGT)作为这个用户访问其他服务所要验证票的凭证(这是为了实现一次登录就能访问域中所有需要验证的资源的所谓单点登录SSO功能),而访问IIS服务器的验证票是通过此用户的票据授权票(TGT)向IIS获取的。之后此客户访问此IIS都使用这个验证票。同样访问其他需要验证的服务也是凭这个TGT获取该服务的验证票。

下面是kerberos比较详细的原理。

Kerberos原理介绍:

工作站端运行着一个票据授权的服务,叫Kinit,专门用做工作站同认证服务器Kerberos间的身份认证的服务。

1.        用户开始登录,输入用户名,验证服务器收到用户名,在用户数据库中查找这个用户,结果发现了这个用户。

2.        验证服务器生成一个验证服务器跟这个登录用户之间共享的一个会话口令(Session key),这个口令只有验证服务器跟这个登录用户之间使用,用来做相互验证对方使用。同时验证服务器给这个登录用户生成一个票据授权票(ticket-granting ticket),工作站以后就可以凭这个票据授权票来向验证服务器请求其他的票据,而不用再次验证自己的身份了。验证服务器把{ Session key ticket-granting ticket }用登录用户的口令加密后发回到工作站。

3.        工作站用自己的口令解密验证服务器返回的数据包,如果解密正确则验证成功。解密后能够获得登录用户与验证服务器共享的Session key和一张ticket-granting ticket

 

到此,登录用户没有在网络上发送口令,通过验证服务器使用用户口令加密验证授权票的方法验证了用户,用户跟验证服务器之间建立了关系,在工作站上也保存来相应的身份证明,以后要是用网络中的其他服务,可以通过这个身份证明向验证服务器申请相应服务器的服务票,来获得相应服务身份验证。

 

4.        如果用户第一次访问IIS服务器,工作站的kinit查看本机上没有访问IIS服务器的验证票,于是kinit会向验证服务器发出请求,请求访问IIS服务的验证票。Kinit先要生成一个验证器,验证器是这样的:{用户名:工作站地址}用跟验证服务器间的Session key加密。Kinit将验证器、票据授权票、你的名字、你的工作站地址、IIS服务名字发送的验证服务器,验证服务器验证验证授权票真实有效,然后用跟你共享的Session key解开验证器,获取其中的用户名和地址,与发送这个请求的用户和地址比较,如果相符,说明验证通过,这个请求合法。

5.        验证服务器先生成这个用户跟IIS服务器之间的Session key会话口令,之后根据用户请求生成IIS服务器的验证票,是这个样子的:{会话口令:用户名:用户机器地址:服务名:有效期:时间戳},这个验证票用IIS服务器的密码(验证服务器知道所有授权服务的密码)进行加密形成最终的验证票。最后,验证服务器{会话口令+加好密的验证票}用用户口令加密后发送给用户。

6.        工作站收到验证服务器返回的数据包,用自己的口令解密,获得跟IIS服务器的Session keyIIS服务器的验证票。

7.        工作站kinit同样要生成一个验证器,验证器是这样的:{用户名:工作站地址}用跟IIS服务器间的Session key加密。将验证器和IIS验证票一起发送到IIS服务器。

8.        IIS服务器先用自己的服务器密码解开IIS验证票,如果解密成功,说明此验证票真实有效,然后查看此验证票是否在有效期内,在有效期内,用验证票中带的会话口令去解密验证器,获得其中的用户名和工作站地址,如果跟验证票中的用户名和地址相符则说明发送此验证票的用户就是验证票的所有者,从而验证本次请求有效。

3、 基本身份验证

这种验证方式完全是把用户名和明文用明文(经过base64编码,但是base64编码不是加密的,经过转换就能转换成原始的明文)传送到服务端验证。服务器直接验证服务器本地是否用用户跟客户端提供的用户名和密码相匹配的,如果有则通过验证。

 

二、  匿名访问

服务端IIS设置了允许匿名访问后,在收到客户端的资源请求后,不需要经过身份验证,直接把请求的资源返回给客户端。

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

If-Modified-Since: Fri, 21 Feb 2003 12:15:52 GMT

If-None-Match: "0ce1f9a2d9c21:d87"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: 192.168.100.5

Connection: Keep-Alive

 

HTTP/1.1 200 OK

Content-Length: 1193

Content-Type: text/html

Last-Modified: Fri, 21 Feb 2003 12:15:52 GMT

Accept-Ranges: bytes

ETag: "0ce1f9a2d9c21:d8b"

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Date: Mon, 12 Nov 2007 07:29:40 GMT

 

三、  Windows集成验证

集成 Windows 身份验证可以使用 NTLM Kerberos V5 身份验证,当 Internet Explorer 试图设为集成验证的IIS的资源时,IIS 发送两个 WWW 身份验证头,Negotiate NTLM

客户端IE认识Negotiate头,将选择Negotiate头,之后IE可以选择NTLM Kerberos两种验证方式。

如果客户端不认识Negotiate头,只能选择NTLM头,就只能使用NTLM验证方式。

现在IE使用的版本一般都在5.0以上,所以现在可以认为IE客户端都能识别Negotiate 头。

所以本文只考虑IE接受Negotiate头,分别使用NTLM Kerberos两种验证的情况。

 

1、 NTLM验证过程

1.1.    客户端选择NTLM方式

如果IE选择了NTLM验证,IE就会在发送到IIS的请求中加入一个Authorization: Negotiate头,内容为:

Authorization: Negotiate NTLMSSPXXXXXXXXXXXXXXXXX

蓝色部分在实际中是经过base64编码的,其中“NTLMSSP”表示是NTLM验证的请求,后面的“XXXXXXXX”部分是二进制的数据,告诉服务器,客户端现在选择了NTLM验证,请服务器发送质询码给客户端。

1.2.    服务端返回质询码

服务器在返回无授权访问的http回应的头部加入Authorization: Negotiate头,内容为:

Authorization: Negotiate NTLMSSPXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

服务器返回的“XXXXXXXX”部分中含有一个八字节的质询码。

1.3.    客户端加密质询码再次发送请求

客户端使用客户端帐号的密码派生出来的8字节DESkey使用DES算法加密收到的质询码。连同客户端帐号的用户名发送到服务端,形式还是这样:

Authorization: Negotiate NTLMSSPXXXXXXXXXXXXXXXXX

这里的“XXXXXXX”部分包含了加密后的质询码和客户端用户名,用户名在其中以明码形式存在。

1.4.    服务端验证客户端用户和密码

服务端收到用户名后,先查验本机是否有这个用户,如果没有直接返回没有授权的http回应。

如果有这个用户,就用这个用户的密码派生出来的8字节DESkey使用DES算法加密发给客户端的那个8字节的质询码,然后跟收到客户端发送来的加密后的质询码比较,如果不相同,表示客户端输入密码不正确看,返回没有授权的http回应;如果相同,就表示客户端输入这个用户的密码正确,验证通过,返回客户端请求的资源。

 

2、 Kerberos验证过程

2.1.    客户端选择Kerberos验证

如果客户端选择了Kerberos验证,客户端直接在请求头中加入Authorization: Negotiate头,内容为:

Authorization: Negotiate XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

其中“XXXXXXXXXX”包含了客户端登录用户的身份验证票(登录时域中的票据服务器发放的标识此登录用户身份的票据,其中不包含用户的密码)。

2.2.    服务端验证身份验证票

服务器验证用户验证票,如果有效的票据,服务端能据此获得用户的用户名,并验证用户的有效性。验证通过后,服务端返回客户端请求的资源。

 

但是客户端IE何时选择NTLM 、合适选择Kerberos呢?下面通过一系列的测试来找出答案。

 

分服务器和客户端在域不在域两种情况测试。

 

3、 客户端和服务器都不在域中

测试环境为服务器和客户端机器在同一个局域网中,但是都不在域中。客户端IE请求服务端IIS的一个页面default.aspx

IIS服务端设置:

l         不启用匿名访问

l         只启用集成windows身份验证

 

这个环境下又分为下面几种情况:

3.1.    客户端用ip地址访问服务

3.1.1.    客户端IE申请页面

客户端IE浏览器的地址栏上输入要访问的URL,就会向服务端发送一个GET请求:

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: 192.168.1.13:81

Connection: Keep-Alive

3.1.2.    服务端返回无授权回应

服务端设置了禁用匿名访问,只允许windows验证,所以服务端返回了无授权回应:

HTTP/1.1 401 Unauthorized

返回的http头中还包括的:

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

这两个头表示服务端只接受集成windows验证方式

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Sun, 11 Nov 2007 12:28:29 GMT

 

3.1.3.    客户端选择NTLM验证,要求输入用户名密码,请求质询码

客户端通过Authorization: Negotiate NTLMSSPXXXX 头告诉服务器,客户端要求NTLM验证,请求服务端发送质询码。

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: 192.168.1.13:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAAD3==

 

3.1.4.    服务器返回质询码

服务端收到客户端的请求,发送一个八字节的质询码。

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAFgoqii7rzphzu6mEAAAAAAAAAAFwAXABKAAAABQLODgAAAA9CAEkAWgBUAEEATABLAFIAMgACABIAQgBJAFoAVABBAEwASwBSADIAAQASAEIASQBaAFQAQQBMAEsAUgAyAAQAEgBiAGkAegB0AGEAbABrAFIAMgADABIAYgBpAHoAdABhAGwAawBSADIAAAAAAA==

X-Powered-By: ASP.NET

Date: Sun, 11 Nov 2007 12:29:44 GMT

 

3.1.5.    客户端发送使用前面输入账户的密码加密后的质询码

客户端IE收到质询码后,使用根据一定的规则从登录用户密码派生出的8字节的key对质询码进行DES加密,加密后的质询码和用户名明码连同页面请求一起发送到服务端。

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: 192.168.1.13:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAI4AAAAYABgApgAAABgAGABIAAAAGgAaAGAAAAAUABQAegAAAAAAAAC+AAAABYKIogUCzg4AAAAPMQA5ADIALgAxADYAOAAuADEALgAxADMAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXAEkATgAyADAAMAAzAC0AUABDAL0amMkkEMWLAAAAAAAAAAAAAAAAAAAAAFND1Boc0kthz0TBnfxn3z4W9/NILU1CtW==

 

3.1.6.    服务端验证通过,返回资源

服务端收到用户名和加密后的质询码后,根据用户名查找服务器上此用户的密码,按照客户端同样的方法加密质询码,然后跟收到客户端返回的质询码,如果一致,则说明用户名和密码都一致,验证通过,返回客户端IE请求资源。如果不对,再次返回无授权http回应。

HTTP/1.1 200 OK

Date: Sun, 11 Nov 2007 12:29:44 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 522

 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 

<html xmlns="http://www.w3.org/1999/xhtml" >

<head><title>

.Untitled Page

</title></head>

<body>

    <form name="form1" method="post" action="default.aspx" id="form1">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGTcefU2sz1MLsbXiZdUEXomIyZ20Q==" />

</div>

 

    <div>

        This is a simple page!</div>

    </form>

</body>

</html>

 

3.2.    客户端用机器名访问服务器,登录用户名/口令跟服务器不匹配

这种情况,客户端用服务器名访问服务器,但是客户端登录系统的用户跟服务器上的用户名和密码不匹配,也就是要么服务器上没这个用户,要么就是服务器这个用户的密码跟客户端这个用户的密码不一样。

3.2.1.    客户端IE申请页面

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

3.2.2.    服务端返回无授权回应

服务端不允许匿名访问,服务端返回需要集成验证的的http头。

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:38:36 GMT

3.2.3.    客户端选择NTLM验证,请求质询码

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

3.2.4.    服务器返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAFgoqikemftrQx0qUAAAAAAAAAAFwAXABKAAAABQLODgAAAA9CAEkAWgBUAEEATABLAFIAMgACABIAQgBJAFoAVABBAEwASwBSADIAAQASAEIASQBaAFQAQQBMAEsAUgAyAAQAEgBiAGkAegB0AGEAbABrAFIAMgADABIAYgBpAHoAdABhAGwAawBSADIAAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:38:36 GMT

3.2.5.    客户端发送用登陆本机的账户加密后的质询码

客户端IE首先用本机登录用户的密码派生的key加密质询码,然后连同用户名一起发送到服务端验证。

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABQAFABIAAAAGgAaAFwAAAAUABQAdgAAAAAAAAC6AAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwAtAFAAQwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFcASQBOADIAMAAwADMALQBQAEMAwo4jxECJeUwAAAAAAAAAAAAAAAAAAAAA2/kscwhI0mmAC6W4OmsZjbrRyrS2NGUX

3.2.6.    服务端返回无授权回应

客户端本机登录的用户名和密码跟服务器端没有匹配的,所以验证在服务端没有通过,服务端返回无授权的回应。

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:38:36 GMT

 

3.2.7.    客户端及选选择NTLM验证,要求输入用户名和口令,再次请求质询码

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

3.2.8.    服务端返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAFgoqi3GHiM9qD6TUAAAAAAAAAAFwAXABKAAAABQLODgAAAA9CAEkAWgBUAEEATABLAFIAMgACABIAQgBJAFoAVABBAEwASwBSADIAAQASAEIASQBaAFQAQQBMAEsAUgAyAAQAEgBiAGkAegB0AGEAbABrAFIAMgADABIAYgBpAHoAdABhAGwAawBSADIAAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:38:45 GMT

3.2.9.    客户端发送使用前面输入账户的密码加密后的质询码

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABIAEgBIAAAAGgAaAFoAAAAUABQAdAAAAAAAAAC4AAAABYKIogUCzg4AAAAPQgBJAFoAVABBAEwASwBSADIAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXAEkATgAyADAAMAAzAC0AUABDAKeYMtcyzwKJAAAAAAAAAAAAAAAAAAAAAExqwTipbr+IzohNdmnopPU1B9pp7QBplA==

3.2.10.     服务端验证通过,返回资源

HTTP/1.1 200 OK

Date: Wed, 14 Nov 2007 12:38:45 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 522

 

 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 

<html xmlns="http://www.w3.org/1999/xhtml" >

<head><title>

.Untitled Page

</title></head>

<body>

    <form name="form1" method="post" action="default.aspx" id="form1">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGTcefU2sz1MLsbXiZdUEXomIyZ20Q==" />

</div>

 

    <div>

        This is a simple page!</div>

    </form>

</body>

</html>

3.3.    客户端用机器名访问服务器,登录用户名/口令跟服务器匹配

这种情况,客户端用服务器名访问服务器,而且客户端登录系统的用户正好在服务器上有个同名同密码的用户。

3.3.1.    客户端IE申请页面

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

3.3.2.    服务端返回无授权回应

同样,服务端不允许匿名访问,服务端返回需要集成验证的的http头。

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:35:41 GMT

3.3.3.    客户端选择NTLM验证,请求质询码

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

3.3.4.    服务器返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAFgoqiSWLtzjLMElAAAAAAAAAAAFwAXABKAAAABQLODgAAAA9CAEkAWgBUAEEATABLAFIAMgACABIAQgBJAFoAVABBAEwASwBSADIAAQASAEIASQBaAFQAQQBMAEsAUgAyAAQAEgBiAGkAegB0AGEAbABrAFIAMgADABIAYgBpAHoAdABhAGwAawBSADIAAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 12:35:41 GMT

3.3.5.    客户端发送用登陆本机的账户加密后的质询码

GET /wstest/default.aspx HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)

Host: biztalkr2:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABQAFABIAAAAGgAaAFwAAAAUABQAdgAAAAAAAAC6AAAABYKIogUCzg4AAAAPVwBJAE4AMgAwADAAMwAtAFAAQwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAFcASQBOADIAMAAwADMALQBQAEMAg7v6JYS/3bAAAAAAAAAAAAAAAAAAAAAArE2xu3xDN3w0LmV1yUkDkrqVWhb2wg27

3.3.6.    服务端验证通过,返回资源

用户端登录的用户名和密码正好能匹配到服务端的一个用户和密码,验证通过。

HTTP/1.1 200 OK

Date: Wed, 14 Nov 2007 12:35:41 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 522

 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 

<html xmlns="http://www.w3.org/1999/xhtml" >

<head><title>

.Untitled Page

</title></head>

<body>

    <form name="form1" method="post" action="default.aspx" id="form1">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGTcefU2sz1MLsbXiZdUEXomIyZ20Q==" />

</div>

 

    <div>

        This is a simple page!</div>

    </form>

</body>

</html>

 

4、 客户端和服务器都在同一域中

服务器和客户端机器在同一个局域网中,并同在一个域中。客户端IE请求服务端IIS的一个页面iisstart.htm

IIS服务端设置:

l         不启用匿名访问

l         只启用集成windows身份验证

 

这样的环境下又范围以下几种情况:

4.1.    客户端用机ip访问服务器

4.1.1.    客户端IE申请页面

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: 192.168.100.5:81

Connection: Keep-Alive

4.1.2.    服务端返回无授权回应

IIS的设置不允许匿名访问,只能windows验证,所以发送401无授权回应,同时发回NegotiateNTLM两个身份验证头让客户端选择。

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 07:23:43 GMT

4.1.3.    客户端选择NTLM验证,要求输入用户名密码,请求质询码

由于使用的是ip地址访问服务器,URL中包含有”.”字符,IE认为访问的不是企业内部服务器,所以不直接提供用户凭据给服务端,要求用户输入帐户

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: 192.168.100.5:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAAD4==

4.1.4.    服务器返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomiF0CRjzLrr+cAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 07:24:15 GMT

4.1.5.    客户端发送使用前面输入账户的密码加密后的质询码

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: 192.168.100.5:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAABoAGgBIAAAACgAKAGIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPMQA5ADIALgAxADYAOAAuADEAMAAwAC4ANQBqAGkAbgBqAHoASgBJAE4ASgBaALVaV8Ku0ERuAAAAAAAAAAAAAAAAAAAAAFowQcbaUXykWTrI7WJKQUA2taaV7wo5T2==

4.1.6.    服务端验证通过,返回资源

HTTP/1.1 200 OK

Content-Length: 1135

Content-Type: text/html

Last-Modified: Mon, 12 Nov 2007 09:33:27 GMT

Accept-Ranges: bytes

ETag: "d4469314f25c81:e35"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 07:24:15 GMT

 

<html>

 

<head>

<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">

 

</head>

 

<body bgcolor=white>

This is a simple page!

 

</body>

</html>

 

4.2.    客户端用机器名访问服务器,客户端用户以域账户登录

4.2.1.    客户端IE申请页面

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: logs:81

Connection: Keep-Alive

4.2.2.    服务端返回无授权回应

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:27:18 GMT

4.2.3.    客户端选择Kerberos验证,发送验证票到服务端

客户端在域中,并且以域账户登录,所以客户端IE选择使用Kerberos身份验证,发送与用户的验证票到服务端。

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate YIIEzQYGKwYBBQUCoIIEwTCCBL2gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJMEggSPYIIEiwYJKoZIhvcSAQICAQBuggR6MIIEdqADAgEFoQMCAQ6iBwMFACAAAACjggOiYYIDnjCCA5qgAwIBBaEOGwxTWkJUSS5HT1YuQ06iFzAVoAMCAQKhDjAMGwRIVFRQGwRsb2dzo4IDaDCCA2SgAwIBF6EDAgEMooIDVgSCA1IeN8fZeLtzkw+5H8HOKmM8zgDOVL5GmeXoS8dMgE20RtI14EVWWZLn2j0AMXTqMOA550Grsadh89vZ89+6vprkVL0v49FM+gxHFCmZSOvLTIawBqXvLU6w1Pni8PN1pbhOKCRVON6+5XH4MN8Rfuqpyy1A/2gfeQIfLMMHs73yohp7h7QJP29b61jm0vj1xE0jEP7EupHlr225vrrVCnktTksbyqi88kIZlCB84J1gTqYoNeOycn4Qzvv8x6z1AsCfo2SBSwo1tj38BK2Fbu+BRXw26RrebGWPkILYwqED7bSR+RlDdokEhjubbyaWcnIjiSXZaN5kQqZQqms3iqhUrZpX7RaaV5BsMOgJs7LwYmc3uM5v7YqljwFD3T44XfpAiS3xlyirP3modOR1l+hV2xdIIFusXtRzY7rTkmEb2F3dGjTiMXySrc0GGhe3TrIeH9nB/2Udo/Z9m0ifXC0EU2fFogefmDc322vHhhv9gEYccG44Q/cnWx8gY9GfWCRihlaefGK+DmCvm+515UFYeIcG5KafXBQw3KX7MjI4/4hlAh3mQNn9p3nX0ePy1G1RRV2SToN7eg1PkaaYXDeC6MSIwCb53MfebzpyN0LKzmPZ6GneLYbyBIpANzPNoXz/LADA1h/l8F098ti1fThPVkUgoehgy1iyovTXyqJg6rojI0juIH7fKfc/UpfO+eLMhsquhH1KNjkCTD2CkdUfcsEU7B15j15p1OyGeg5/tEbRE67+NAWkfLSPp5R3tzGqjAh39w8n/8EWot9DBlHwk+qJp3rMFJZIvNtmXuvqnUW1NGpO1GIf78PBixyFwrJSo5syTfCiWIcw9YQ7MyvuyynAmsXeaI5+OP/GfmGpnvt5kMznu5q/nNf7LMV8n6x2+lmNlcPJiWr+KckPM9Nvntw2h/bl2qGnHDdOqNYI2N0VxzIm8wY6dWS3NIwlGl/usMjjebaELFP6rdHjpVG6pziJYjrBrws5DbqCxJ1EOeQdBiT8l1O6OUQqdOBVZH6/bj5MkLghWv0edHG8TJ4OGa69nMHDwTBOyuyRbTr5uWWFnESdyAGGbfGlJjuvSSzxgZViMSB2j8Ulk8x8MCqrupEK2i0UR6HrMNMJIDJsVcXTpIG6MIG3oAMCAReiga8EgazteAbcguseBpQnHeJihLFO78PfjI2Qop+MkH9jCOrvO9cQns1GzOKByoAbeP307QQq4zbaDF3EJlOC//4k4A6W4dc4k5lNeOgwR4LEvbIQKpdlljFiW8XUb+IgovsOlZEG0qFQgZY0I35I4Uvk/2dDkz06DGiDsQ0IENrRIMT4/7xgMSmkzspO2ojSbG5aKlbjK203QxMlkEoxb8WpJFZQggUqrLAr0q2graET

4.2.4.    服务端验证通过,返回资源

HTTP/1.1 200 OK

Content-Length: 167

Content-Type: text/html

Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT

Accept-Ranges: bytes

ETag: "bf2d54589726c81:e35"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWrdYWb37ROEMMnP/4vTBwSe9hVe4XklXCWqFKG16d53aBUiTEem+lrFE8ycBgSln3zme63lKfSn9UHoNTlT100T86wxllsyrrMe437ElPcxI4pgcv9rNKU9aKg==

Date: Wed, 14 Nov 2007 08:27:18 GMT

 

<html>

 

<head>

<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">

 

</head>

 

<body bgcolor=white>

This is a simple page!

 

</body>

</html>

 

4.3.    客户端用机器名访问服务器,客户端用户以客户端本地用户登录,用户名/口令跟服务器账户不匹配

4.3.1.    客户端IE申请页面

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

4.3.2.    服务端返回无授权回应

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:58:13 GMT

4.3.3.    客户端选择NTLM验证,请求质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

4.3.4.    服务器返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomibnmMcRgPlTMAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:58:13 GMT

4.3.5.    客户端发送用登陆本机的账户加密后的质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaACY8afODxKsFAAAAAAAAAAAAAAAAAAAAAPfRbw7FX9gKolM+6+QhqsRU+MWS3jKLkQ==

4.3.6.    服务端返回无授权回应

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:58:13 GMT

4.3.7.    客户端及选选择NTLM验证,要求输入用户名和口令,再次请求质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

4.3.8.    服务端返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomi3CZKUW4302QAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:59:09 GMT

4.3.9.    客户端发送使用前面输入账户的密码加密后的质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAIP0UwZaV4tAAAAAAAAAAAAAAAAAAAAAAMS9l9MtVOFPSz/JmjD+/7W2ssAdBrkvwQ==

4.3.10.     服务端验证通过,返回资源

HTTP/1.1 200 OK

Content-Length: 167

Content-Type: text/html

Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT

Accept-Ranges: bytes

ETag: "bf2d54589726c81:e35"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 08:59:09 GMT

 

<html>

 

<head>

<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">

 

</head>

 

<body bgcolor=white>

This is a simple page!

 

</body>

</html>

 

4.4.    客户端用机器名访问服务器,客户端用户以客户端本地用户登录,用户名/口令跟服务器账户匹配

4.4.1.    客户端IE申请页面

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

4.4.2.    服务端返回无授权回应

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 09:11:09 GMT

4.4.3.    客户端选择NTLM验证,请求质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

4.4.4.    服务器返回质询码

HTTP/1.1 401 Unauthorized

Content-Length: 1251

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAFgomil8OZAC0QBhYAAAAAAAAAAHwAfABCAAAABQLODgAAAA9TAFoAQgBUAEkAAgAKAFMAWgBCAFQASQABAAgATABPAEcAUwAEABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAwAiAGwAbwBnAHMALgBzAHoAYgB0AGkALgBnAG8AdgAuAGMAbgAFABgAcwB6AGIAdABpAC4AZwBvAHYALgBjAG4AAAAAAA==

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 09:11:09 GMT

4.4.5.    客户端发送用登陆本机的账户加密后的质询码

GET /iisstart.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Host: logs:81

Connection: Keep-Alive

Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAoACgBIAAAAGgAaAFIAAAAKAAoAbAAAAAAAAACmAAAABYKIogUCzg4AAAAPSgBJAE4ASgBaAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIASgBJAE4ASgBaAMQdxp9OWMESAAAAAAAAAAAAAAAAAAAAAMEj775cWctAx2Csmbgfq2afsGcop92oMA==

4.4.6.    服务端验证通过,返回资源

用户端登录的用户名和密码正好能匹配到服务端的一个用户和密码,验证通过。

HTTP/1.1 200 OK

Content-Length: 167

Content-Type: text/html

Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT

Accept-Ranges: bytes

ETag: "bf2d54589726c81:e35"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 14 Nov 2007 09:11:09 GMT

 

<html>

 

<head>

<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">

 

</head>

 

<body bgcolor=white>

This is a simple page!

 

</body>

</html>

 

5、 集成验证总结

5.1.    客户端以ip地址访问服务器

不管客户端跟服务器是否在域、也不管客户端是否以域帐号登陆,只要客户端以ip地址访问服务器,那么客户端就会选择NTLM方式验证,并且不会直接发送客户端登录用户的用户名和密码给服务器,而是会弹出一个对话框要求用户输入用户名和口令,然后发送到服务端验证。

您可以避免在使用 IP 地址或名称中包含句点的企业内部网服务器上出现这种提示,方法是,在 Internet Explorer 的“本地 Intranet”设置中,列出包含 IP 地址的服务器,或是列出包含句点的服务器名称。可以通过依次单击“工具”、“Internet 选项”、“本地 Intranet”、“站点”、“高级”来访问“本地 Intranet”设置部分。然后在“将该网站添加到区域中”输入 http://127.0.0.1 或其他相关站点的 URL

 

下面总结的都是在客户端以机器名访问服务器的情况。

5.2.    服务器在域,客户端以域帐号登陆

如果客户端的机器在域中,同时登陆用户又是以域用户登录,那么IE选择Kerberos验证方式。

5.3.    其他情况IE都选择采用NTLM验证方式。

出来上述的两种情况,其他情况,客户端都选择NTLM验证,并首先尝试把登录客户端用户的用户名和密码传送给服务器验证,如果验证通过了,被直接授权访问;如果验证没通过,客户端弹出对话框要求输入用户名和密码,然后再传送到服务端验证,直到验证通过。

 

集成 Windows 身份验证Kerberos的验证方式是 Intranet 环境中最好的身份验证方案,在这种用户拥有 Windows 域帐户,Kerberos验证不在网络上传递用户密码,只用传送一个用户验证票。NTLM要传送用户的密码,但是密码经过处理后派生出一个8字节的key加密质询码,也是比较安全的。

 

 

四、  基本身份验证

客户端IE请求服务端IIS的一个页面iisstart.htm

IIS服务端设置:

l         不启用匿名访问

l         只启用基本身份验证

 

1、 客户端IE申请页面

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: logs:81

Connection: Keep-Alive

2、 服务端返回无授权回应,并告知客户端要求基本身份验证

服务端设置的基本身份验证,所以这里返回的无授权回应的http头中包含 WWW-Authenticate: Basic 头,告诉客户端,服务端要求的是基本身份验证

HTTP/1.1 401 Unauthorized

Content-Length: 1327

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Basic realm="logs"

X-Powered-By: ASP.NET

Date: Mon, 19 Nov 2007 06:15:57 GMT

3、 客户端弹出对话框要求输入用户名和密码

GET /iisstart.htm HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; MAXTHON 2.0)

Host: logs:81

Connection: Keep-Alive

Authorization: Basic YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1

客户端把用户名和密码转换成base64编码后,直接发送到服务端。

发送到服务器的“Authorization: Basic”头里面的“YWRtaW5pc3RyYXRvcjpzemJ0aUAxMDA1”部分就是用户的用户名和密码,经过base64解码后是这样的:administrator:szbti@1005

4、 服务端验证通过,返回资源

HTTP/1.1 200 OK

Content-Length: 167

Content-Type: text/html

Last-Modified: Wed, 14 Nov 2007 08:21:24 GMT

Accept-Ranges: bytes

ETag: "bf2d54589726c81:e7d"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 19 Nov 2007 06:16:34 GMT

 

<html>

 

<head>

<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=gb2312">

 

</head>

 

<body bgcolor=white>

This is a simple page!

 

</body>

</html>