为什么在WCF中kerberos默认使用NTLM? [英] Why is kerberos defaulting to NTLM in WCF?

问题描述

有一个简单的WCF演示应用程序，它具有两个控制台项目-主机和客户端.两者都在我的机器上运行(赢得7盒).我正在使用netTcpBinding，它使用Windows身份验证.

Got a simple WCF demo app that has two console projects--host and client. Both are running on my machine (win 7 box). I'm using the netTcpBinding, which uses windows authentication.

问题是身份验证已从kerberos降级为NTLM，我不知道为什么.

如果我使用

<clientCredentials>
   <windows allowNtlm="true" />
</clientCredentials>

在客户端，一切都很酷.但是，如果将其更改为false，则会出现以下异常:

on the client side, everything is cool. But if I change that to false, I get the following exception:

SecurityNegotiationException: 远程服务器不满足 相互认证要求.

SecurityNegotiationException: The remote server did not satisfy the mutual authentication requirement.

这表明kerberos失败了，并且由于客户端不允许NTLM调用导致抛出异常.

This suggests that kerberos is failing and since the client won't allow NTLM the call results in an exception being thrown.

这是项目的问题，还是由我的开发机器的配置引起的外部问题?

Is this an issue with the project, or is it an external issue caused by the configuration of my development machine?

解决方案:

显然，我必须在客户端配置中指定服务器的身份.在我的情况下，服务器以我的身份运行，因此我修改了客户端:

Apparently, I have to specify the identity of the server within the client configuration. In my case, the server is running under my identity, so I modify the client thusly:

<client>
  <endpoint address="net.tcp://dev7.HurrDurr.com:12345/MyService" 
            binding="netTcpBinding" 
            bindingConfiguration="MyBindingConfigurationLol" 
            behaviorConfiguration="HurrDurrServiceEndpoint" 
            contract="ShaolinCore.ICommunicationService">
    <!-- start changes here -->
    <identity>
      <userPrincipalName value="myusername@mydomain"/>
    </identity>
    <!-- end changes here -->
  </endpoint>
</client>

我不确定为什么可以解决此问题.好的，现在在客户端，我完全信任服务器(嘿，我认识那个家伙！).但是由于NTLM的安全性不如kerberos，为什么不反过来呢?如果我不完全信任服务器，则使用kerberos，否则ntlm很好.

I'm not sure why this fixes the issue. Okay, now on the client side I fully trust the server (hey, I know that guy!). But since NTLM is less secure than kerberos, why isn't it the other way around? If I don't fully trust the server, I use kerberos, otherwise ntlm is fine.

或者，OTOH，如果我不完全信任服务器，为什么它仍然可以正常工作? "SecurityException:未设置端点身份.WCF无法信任服务器的身份，并且将不传输客户端身份."

Or, OTOH, if I don't fully trust the server why does it work at all? "SecurityException: Endpoint identity not set. WCF cannot trust the identity of the server and will not transmit client identity."

推荐答案

在IIS4、5和6开发团队工作时，我们经常遇到很多问题！为使Curb正常工作，您需要满足以下条件:

When I worked on the IIS4, 5 and 6 development teams we ran into this a lot! For Kerb to work, you need the following conditions to be true:

1)双方都支持遏制(今天所有受支持的Windows版本都支持Curb)

1) Both parties support kerb (all supported versions of Windows support Kerb today)

2)机器对Active Directory进行身份验证

2) Machines auth to Active Directory

3)为服务器端点注册的服务主体名称(SPN).在过去的美好时光"中，您必须使用SetSPN.exe手动完成此操作. SPN只是Curb将要连接的端点.它需要此数据来支持相互认证.大多数应用程序都会为您调用approp API来完成这项工作(DsWriteAccountSpn)

3) Service Principal Names (SPNs) registered for the server endpoint. In the "good old days" you had to do this by hand using SetSPN.exe. An SPN is just an endpoint that Kerb will connect to; it needs this data to support mutual authn. Most apps will call the approp API to this work for you (DsWriteAccountSpn)

如果以上任何步骤都不正确，Windows通常会默认使用NTLM，仅向您提供客户端身份验证.

If any of the steps above are not true, Windows will usually default to NTLM, whcih gives you only client authentication.

希望有帮助！ -迈克尔

Hope that helps! - Michael

这篇关于为什么在WCF中kerberos默认使用NTLM?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！