調試IIS7 Kerberos認證錯誤：KRB_AP_ERR_MODIFIED

問題簡介

KRB_AP_ERR_MODIFIED是一種常見的 Kerberos 認證失敗消息。意思是在服務器上客戶端發送加密的 Kerberos 身份驗證數據沒有被正確解密。當 Kerberos客戶端為某服務請求票據時，通過SPN標識該服務，KDC授予客戶端通過服務密鑰加密的服務票據。通常情況下是與SPN匹配的AD帳戶的密碼。

有些時候KDC可能會生成一個通過錯誤的賬號信息加密的服務票據。當客戶端提供該票據到服務端認證時，該服務不能解密，身份驗證失敗，報錯KRB_AP_ERR_MODIFED。

換句話說，因為KDC發出票證使用A帳戶的密碼進行加密，但在服務方嘗試用B帳戶的密碼解密。

通常情況下造成這種問題有這么幾種原因，

• 重復的SPN
• 錯誤的DNS設置
• 不同的域中的兩台計算機具有相同名稱
• 客戶端請求了錯誤的SPN
• IIS（內核/用戶模式身份驗證）設置錯誤

問題調試

數據收集工具

• 注冊表
• KList （Windows2008及以上自帶)
• ipconfig
• Network Monitor

數據收集步驟

• 在客戶端計算機上啟用 Kerberos日志。如何啟用 Kerberos 事件日志記錄
• 用管理員權限打開命令控制台，運行"klist purge"清除緩存的Kerberos票據。
• 運行"ipconfig /flushdns"要清除DNS緩存。
• 客戶端和web服務器上的運行Network Monitor。
• 重現該問題。
• Network Monitor抓包

定位Kerberos錯誤

通過展開IIS返回的HTTP響應標頭中的Authenticate字段，可以找到Kerberos身份驗證錯誤的原因。

- Http: Response, HTTP/1.1, Status: Unauthorized, URL: / , Using GSS-API Authentication
　　ProtocolVersion: HTTP/1.1
　　StatusCode: 401, Unauthorized
　　Reason: Unauthorized
…
　　- WWWAuthenticate: Negotiate …
　　　　- Authenticate: Negotiate 
　　　　oWwwaqADCgEBomMEYWBfBgkqhkiG9xIBAgIDAH5QME6gAwIBBaEDAgEepBEYDzIwMTExMDE0MDUxMDE0WqUFAgMG362mAwIBKakKGwhURVN 
　　　　ULkNPTaoXMBWgAwIBAaEOMAwbCmNvbnRvc29zdmM=
　　　　WhiteSpace: 
　　　　- NegotiateAuthorization: 
　　　　　　Scheme: Negotiate
　　　　　　- GssAPI: 0x1
　　　　　　　　- NegotiationToken: 
　　　　　　　　　　- ChoiceTag: 
　　　　　　　　　　　　- NegTokenResp: 
　　　　　　　　　　- ResponseToken: 0x1
　　　　　　　　- KerberosToken: 0x1
　　　　　　　　　　- KerberosInitToken: 
…
　　　　　　　　　　- InnerContextToken: 0x1
　　　　　　　　　　　　- KerberosToken: 0x1
　　　　　　　　　　　　　　TokId: Krb5Error (0x300)
　　　　　　　　　　　　　　- Error: KRB_ERROR (30)
….
　　　　　　　　　　　　　　+ ErrorCode: KRB_AP_ERR_MODIFIED (41)
　　　　　　　　　　　　　　+ Realm: TEST.COM
　　　　　　　　　　　　　　+ Sname: contososvc
Date: Fri, 14 Oct 2011 05:10:14 GMT
ContentLength: 341

如果通過Wireshark抓包錯誤更明顯。

從客戶端系統事件日志，可以看到以下事件。

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 10/13/2011 10:10:05 PM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IIS02.test.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server contososvc. The target name used was HTTP/iis01.test.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (TEST.COM) is different from the client domain (TEST.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

根據該日志信息，SPN為HTTP/iis01.test.com，用來解密的賬號為contososvc，發生Kerberos認證錯誤的原因時加密票據的賬號不是contososvc。

造成該問題可能的情況如下，

第一種情況：重復的 SPN

重復的SPN是說相同的SPN注冊在至少兩個帳戶上。例如，對兩個帳戶注冊SPN：A和B。KDC可能用A帳戶的密碼加密服務票據，當在服務端身份驗證時，該服務可能實際是賬戶B，通過賬戶B信息解密就會報錯.

通過setspn工具檢測重復SPN

Windows 2008及以上版本的系統，本身提供setspn可以用來檢測重復SPN。

除了HTTP/SPN，也要檢查Host/SPN。如果HTTP/SPN不存在HOST/SPN將作為默認SPN。錯誤的HOST/SPN同樣會導致Kerberos認證失敗。

以下是setspn的關於Windows Server 2008 SP2提供示例輸出。

通過ldifde查找重復SPN

Windows 2003 和 XP，我們可以使用ldifde工具搜索重復SPN。以下是HTTP/contoso的示例。

SPN是目錄林范圍(forrest-wide)的對象，它必須在整個域內唯一。對於復雜的環境中，使用按照命令要搜索整個森林，像這樣：
Ldifde -s GCName -t 3268 -f d:\spn.ldf -d "dc=test, dc=com" –l ServicePrincipleName –r "(ServicePrincipalName=HTTP/contoso)"

此外，我們可以使用通配符搜索：
Ldifde -s GCName -t 3268 –f d:\spn.ldf -d "dc=test, dc=com" -l servicePrincipalName -r (servicePrincipalName=*contoso*)

第二種情況：客戶端發送錯的SPN請求票據

定位問題

這種情況與客戶端行為相關。如果Web站點使用CNAME資源記錄在域名系統(DNS)中，將出現此問題。
例如，DNS 設置如下所示：

Contoso CNAME iis01.test.com
iis01.test.com A 10.0.5.2

使用IE瀏覽器訪問 Web 站點時，IE瀏覽器使用服務器的主機名(IIS01)而不是CNAME(Contoso)與服務器聯系。身份驗證可能會失敗，報錯KRB_AP_ERR_MODIFIED。

HTTP/Contoso.test.com test\contososvc
HOST/IIS01.test.com test\iis01(machine account)

Network Monitor跟蹤失敗請求
IE 發送請求到http://contoso，發送contoso的DNS查詢。

+ Ipv4: Src = 10.0.5.3, Dest = 10.0.5.1, Next Protocol = UDP, Packet ID = 9717, Total IP Length = 62
+ Udp: SrcPort = 64506, DstPort = DNS(53), Length = 42
- Dns: QueryId = 0x4BB1, QUERY (Standard query), Query for contoso.test.com of type Host Addr on class Internet

Contoso的DNS響應

+ Ipv4: Src = 10.0.5.1, Dest = 10.0.5.3, Next Protocol = UDP, Packet ID = 6526, Total IP Length = 98
+ Udp: SrcPort = DNS(53), DstPort = 64506, Length = 78
- Dns: QueryId = 0x4BB1, QUERY (Standard query), Response - Success, 49, 0 
QueryIdentifier: 19377 (0x4BB1)
…
- ARecord: contoso.test.com of type CNAME on class Internet: iis01.test.com
- ARecord: iis01.test.com of type Host Addr on class Internet: 10.0.5.2
… 

TGS票據請求，IE請求的SPN是HTTP/iis01.test.com而不是預期的HTTP/contoso.test.com

+ Ipv4: Src = 10.0.5.3, Dest = 10.0.5.1, Next Protocol = TCP, Packet ID = 9728, Total IP Length = 0
+ Tcp: Flags=...AP..., SrcPort=50044, DstPort=Kerberos(88), PayloadLen=1488, Seq=4106960882 - 4106962370, Ack=354586390, Win=513 (scale factor 0x8) = 131328
- Kerberos: TGS Request Realm: TEST.COM Sname: HTTP/iis01.test.com 
…

解決方案

• 如果客戶端是 IE， KB911149描述了此問題的解決方案。
• 如果客戶端應用程序中使用System.Net.HttpWebRequest，需要使用CustomTargetNameDictionary.AuthenticationManager.CustomTargetNameDictionary
• DNS 服務器端，配置IIS服務器到主機記錄(A),不要配制Alias(CNAME)。

第三種情況：SPN設置為錯誤帳戶（IIS 7身份驗證設置錯誤）

IIS 7.0默認情況下啟用內核模式身份驗證。內核模式身份驗證機無論哪個帳戶用來運行該應用程序池帳戶下運行。機器帳戶用於解密的Kerberos票據。

但是有些情況下，需要域帳戶而不是主機賬戶作為解密賬戶。例如啟用了Web Farm。對於這種情況，您可以通過設置useAppPoolCredentials="true"配置IIS以使用Web應用程序池標識進行身份驗證，而不用禁用內核模式身份驗證。

IIS 7，我們有三種Windows身份驗證配置。不同情況需要SPN注冊在不同帳戶上。如果注冊不當，則可能導致身份驗證失敗，從而報錯KRB_AP_ERR_MODIFIED。

• 禁用內核模式身份驗證
• 啟用了內核模式身份驗證 useAppPoolCredentials
• 啟用內核模式身份驗證

注：機器帳戶包括所有在網絡中代表本機的賬戶，包括Network Service, Local System, Local Service and ApplicationPoolIdentity for IIS7。服務帳戶代表應用程序池標識使用的域帳戶。

可能會導致Kerberos身份驗證失敗（KRB_AP_ERR_MODIFIED）的情況如下，

情況1

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	False(default)
Application Pool Identity	Service Account like (domain\contosoService)
Web Site Binding To	IIS server’s NetBIOS Name.  Access like this way:     http(s)://IIS_Server_NetBIOS_Name     http(s)://IIS_Server_FQDN
SPN	HTTP/ SPN registered on service account
Comments	For this scenario, the Kerberos ticket is encrypted by service account, and is decrypted by IIS server’s computer account.

 

情況2

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	False(default)
Application Pool Identity	Service Account like (domain\contosoService)
Web Site Binding To	A customized host header.  Access like this way:     http(s)://Contoso
SPN	HTTP/ SPN registered on service account
Comments	For this scenario, the Kerberos ticket is encrypted by service account, and decrypted by IIS server’s computer account.

情況3

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	True
Application Pool Identity	Service Account like (domain\contosoService)
Web Site Binding To	IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
SPN	HTTP/ IIS_Server_NetBIOS_Name doesn’t registered on any account Or, registered on IIS server’s computer account
Comments	For this scenario, the Kerberos ticket is encrypted by IIS server’s computer account, and decrypted by service account.

 

SPN，IIS 配制參考

配制 1

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	False(default)
Application Pool Identity	No Matter
URL used to access web site	http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
SPN requirement	No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name.
Comments	This is the default scenario for IIS 7+ when using IIS server’s computer name to access the web application.

 

配制 2

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	False(default)
Application Pool Identity	No Matter
URL used to access web site	http(s)://Customer_Host_Name
SPN requirement	Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME  IIS_SRV_NetBIOS
Comments	Some application requires this when they need special permission for application pool identity.

 

配制 3

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	True
Application Pool Identity	Service Account like (domain\contosoService)
URL used to access web site	http(s)://Customer_Host_Name
SPN requirement	Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME  domain\contosoService
Comments	This is a typical requirement for NLB environment. Some complex products consisted by couple services/applications like SharePoint. They require set the SPN on a domain account, and run the all the services/applications using this domain account.

 

配制 4

Kernel Mode Authentication	Enabled(default)
useAppPoolCredentials	True
Application Pool Identity	Service Account like (domain\contosoService)
URL used to access web site	http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN
SPN requirement	Need register SPN on service account, like: SetSPN -a HTTP/IIS_SERVER_FQDN  domain\contosoService
Comments	You need select this scenario if you want web site binding to IIS server’s computer name and running the site with a domain account.

 

配制 5

Kernel Mode Authentication	Disabled
useAppPoolCredentials	No Matter
Application Pool Identity	Service Account like (domain\contosoService)
URL used to access web site	http(s)://Customer_Host_Name
SPN requirement	Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME  domain\contosoService
Comments	This is same for IIS 6 scenario.

 

配制 6

Kernel Mode Authentication	Disabled
useAppPoolCredentials	No Matter
Application Pool Identity	Service Account like (domain\contosoService)
URL used to access web site	http(s)://IIS_SERVER_NetBIOS_NAME
SPN requirement	Need register SPN on service account, like: SetSPN -a HTTP/ IIS_SERVER_NetBIOS_NAMEdomain\contosoService
Comments	This is same for IIS 6 scenario.

 

配制 7

Kernel Mode Authentication	Disabled
useAppPoolCredentials	No Matter
Application Pool Identity	Machine Account
URL used to access web site	http(s)://Customer_Host_Name
SPN requirement	Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME  IIS_SRV_NetBIOS
Comments	This is same for IIS 6 scenario.

 

配制 8

Kernel Mode Authentication	Disabled
useAppPoolCredentials	No Matter
Application Pool Identity	Machine Account
URL used to access web site	http(s)://IIS_SERVER_NetBIOS_NAME
SPN requirement	No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name.
Comments	This is similar to the default scenario of IIS 6.

 

 

weizhao