Kerberos 인증을 통한 인터넷 익스플로러 동작
???? : Internet Explorer behaviors with Kerberos Authentication
?????? ?(Rob)???. ??? ????? Kerberos ??? ??? ??? ?? ????? ???.
??? ?????? ?? ??? Kerberos ??? ?? ??? ???? ?? ???? ??? ??? ?? ???? ???? ???. ????? ? ??? ?? ?????? Kerberos ??? ???? ??? ???? ??? ????.
???? 1 : ????? 80/443? ?? TCP/IP ??? ???? ?? ??
? ?? ??:
l Webserver1? ? ??? ???? ??? ?? IIS ???? ????.
l Website1? NetworkService? ??? ?? ???? ? ???? ?????.
l Website2? ??? ??? ??? ??? ?? ???? ? ???? ?????.
l website2? 8080 ??? ????? ???? ????.
l ??? SPN? website2 ?? ???? ? ??? ???? ????.
m http/webserver1.contoso.com:8080
m http/webserver1:8080
? ?????? ??? ? ???? ?? ??? ??? ?? ??? ??? ? ????? ? ? ????. SPN(Service Principal Name)? ??? ? ???? ??? ???? ?? ????, ??? ??? ? ?? ???? ? ???? Kerberos ??? ?? ? ???? ? ? ????.
???????? ?? ??:
? ??????? ??? ?????? Website2? ???? ? ??? ?? ??? ?? SPN? ?????. ???, IE? ?? ??? Kerberos ?? ??? ?? ??? ???? ????. ? ??? IIS? ??? ? KRB_AP_ERR_MODIFIED ???? ?? ?? ? ????.
??? KB? ??? ?? IE ????? ??? ?? ??? ??? ??? ????. ??? ????? 6?? ????? ??? ??? ???? ?? Wininet.dll? QFE? ??? ?????.
908209 Internet Explorer 6 Kerberos ?? ????? ???? Windows XP ? Windows Server 2003 ??? ?? ??? ???? ? ???? ??? ? ????.
https://support.microsoft.com/kb/908209/ko
IE7? KB ??? ???, ? ??? IE? ?? ?????? ??? ? ????.
??? ????:
? ???? ??? ??? ??? ???? DNS ??? ??? ??? ?? DNS HOST ???? ???? ? ??? ? ??? ??? ?? ?? ????? ????. DNS?? CNAME ???? ? ???? ??? ?? ? ????.
???? 2 : CNAME DNS RR? ?????? ??? ??
? ?? ??:
l Webserver1? ? ??? ???? ? ?? ?? ???? ????.
l Website1? NetworkService? ??? ?? ???? ? ???? ?????.
l Website2? ??? ??? ??? ??? ?? ???? ? ???? ?????.
l Website2? app1.contoso.com? ??? ??? ????? ???? ????.
l DNS?? app1.contoso.com? CNAME ???? ????? webserver1.contoso.com ??? ???? ?????.
l ??? website2? ?? ???? ? ???? ??? SPN???.
m http/app1.contoso.com
m http/app1
? ?????? ??? ? ???? ??? ????. ???? app1.contoso.com? ? ? ????? ??? DNS lookup? ? ???, DNS ??? CNAME ???? ???? webserver1.contoso.com ??? ???? ?????. SPN ??? ??? website2? ? ?? ???? ? ??? ?????? ? ? ????.
??? ?????? ?? ??? ?? CNAME ??? ??? ???, CNAME ?????? ??? ??? ???? ?? Kerberos ?? ??? ???? ????. ??? IE? WebServer1? ??? ????? ????? ??? Kerberos ??? ??? http/webserver1.contoso.com? ?? Kerberos ??? ???? ?????. ??? ???? app1.contoso.com ????? ????? ???? IIS??? IE?? KRB_AP_ERR_MODIFIED? ???? ?????.
?????? ?? ??:
??? KB? ??? ?? IE ????? ??? ?? ??? ??? ??? ????. ??? ????? 6?? ????? ??? ??? ???? ?? Wininet.dll? QFE? ??? ?????.
??? ????? 6:
911149 Windows XP ?? ????? Kerberos ??? ???? ? ???? ???? ? Internet Explorer?? ?? ????: "HTTP ?? 401 - ??? ??: ??? ?? ?? ??? ???? ???????." https://support.microsoft.com/kb/911149/ko
??? ????? 7? ? ??:
938305 Internet Explorer 7? ???? Kerberos ??? ???? ? ???? ???? ? "??? ?? ??? ???? ?? ??? ??" ?? ???? ???? https://support.microsoft.com/kb/938305/ko
??? ????:
??? ????? DNS CNAME RR? ???? HOST RR? ???? ????.
???? 3 : ? ???? ? ????? ????? 30? ??? ????.
? ?? ??:
l Webserver1 ???? ??? ???? ??? ????.
l Website1? ??? ??? ??? ??? ?? ???? ? ???? ?????.
l ??? SPN? website1 ?? ???? ? ??? ???? ????
m http/webserver1.contoso.com
???? ????? ??? ? ??? URL? NETBIOS ??? ???? ?????. ?? ??: https://webserver1 ?? ?????.
? ?????? ??? SPN? FQDN ???? ?????, ??? ???? ??? ????. Kerberos? ?? ??? ?? FQDN? ??? ?? ??? SPN? NETBIOS ?? ??? ????? ????? ?? ?? ????. ??? ???, ???? ? ?? ???? ?? ?? ?? ?????.
??? ?????? ?? ??? ???? DNS suffix? ????? ???? URL? ??? ??? ??? ???? ???? ???? ??? DNS suffix ?? ??? ???? ????. ?? DNS ??? ???? webserver1.contoso.com? ??? ????. ?? IE? ? ??? ??? ??? DNS ??? DNS ???? ?????. ???? ??? ????? ????. IE? ??? 30????. 30? ?? IE? ?? ??? ?????, ???? DNS? ?? ?? ??? ??? ? ????. ?? NetBIOS ?? ???? ?????.(??? WINS ????? ?????, ??? ??? ?? ?????.) ??? ???? ?? ? ??? Kerberos ??? ?? ???.
l KRB_AP_ERR_MODIFIED - ? ??? ???? ? ???? ??? ? ??? ??? ??? ??? ????. ??? http/webserver1 SPN? ?? ??? ??? ??? HOST/webserver1?? ???? ?????.
l KRB_ERR_S_PRINCIPAL_UNKNOWN - ? ??? ? ??? ??? app1.contoso.com ?? ?????. ??? http/app1 SPN? ?? ???? ?? ??? ??? ? ?? ?????.
?????? ?? ??:
???? ??? ?????? ?? ??? ??? ????.
899417 WWW ??(:? ??? ???? ?? HTTP ??? ?? ??)? ??? ? "???? ???????." ?? ???? ????. https://support.microsoft.com/kb/899417/ko
IE7? KB ??? ???, ? ??? IE? ?? ?????? ??? ? ????.
??? ????:
SETSPN.EXE? ????, SNP? NetBIOS ??? ??? ??? ? ????.
? ?? ????? ?????. ?? ??? ??? ?? ??? ????? ????? ?? ???? ??(trace)? ???? ?? ?? ????.
- Rob “I Speak Tampa” Greene