401客户端“协商",服务器“协商,NTLM"调用WCF服务器到服务器时 [英] 401 Client 'Negotiate', Server 'Negotiate,NTLM' When Calling WCF Server to Server
问题描述
好吧,我已经阅读了所有线程&我可以找到这个错误的问题,令人惊讶的是没有找到解决方法.我试图在我的IIS托管WCF服务(.NET 4.0)上要求Windows身份验证,到目前为止,该服务是可选的.我在服务器上有启用Windows身份验证的终结点计算机已有一段时间了,并且多个远程应用程序已成功使用它.我现在正尝试通过向他们提供与工作的远程客户端完全相同的客户端配置,将使用WCF服务的Web应用程序和其他服务器应用程序切换到此安全端点,但是服务器应用程序收到消息401:
Ok, I've read every thread & question I can find with this error and surprisingly have not found a solution. I'm trying to require Windows authentication on my IIS hosted WCF service (.NET 4.0) which, until now, has been optional. I have had a Windows authentication enabled endpoint available on the server for a while with several remote applications successfully using it. I'm now trying to switch our web applications and other server apps that use the WCF service over to this secured endpoint by giving them the exact same client configuration as the working remote clients, but the server apps are receiving a 401 with the message:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.]
我为WCF托管站点启用了匿名和Windows身份验证.我开始使用的Web应用程序承载在与WCF服务不同的服务器上,并且运行在ASP.NET 2.0和Windows Server 2008 R2 Enterprise上.我都使用allowNtlm创建了一个客户端行为,并将NetworkSecurity:LAN Manager身份验证级别设置为Send LM&. NTLM ...在客户端上.在主机端,它设置为仅发送NTLMv2响应" ...我不知道这是否会影响服务器/服务处理身份验证的方式.我还尝试了在客户端上将allowedImpersonationLevel设置为模拟,但值得庆幸的是,它没有用(因为不必要进行模拟).对于与Web应用程序运行在同一服务器上的Windows服务和控制台应用程序,我们似乎得到了相同的结果.
I have Anonymous and Windows authentication enabled for the WCF hosting site. The web application I've started with is hosted on a different server than the WCF service and is running on ASP.NET 2.0 and Windows Server 2008 R2 Enterprise. I have both created a client behavior with allowNtlm and set the NetworkSecurity: LAN Manager authentication level to Send LM & NTLM... on the client end. On the hosting end, it is set to Send NTLMv2 Response Only...I don't know if that affects how the server/service handles authentication. I've also tried setting allowedImpersonationLevel to Impersonation on the client which, thankfully, didn't work (because impersonation shouldn't be necessary). We seem to get the same result for a Windows service and console app running on the same server as the web app.
这是我的服务器配置:
<binding name="WindowsSecuredBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
...
<service behaviorConfiguration="OMWebServices.QueueServiceBehavior"
name="OMWebServices.QueueService">
<endpoint address="" binding="basicHttpBinding" name="QueueEndpoint"
bindingName="" contract="OMWebServices.IQueueService" />
<endpoint binding="basicHttpBinding" bindingConfiguration="WindowsSecuredBinding"
name="QueueSecuredEndpoint" contract="OMWebServices.IQueueService" />
<endpoint address="mex" binding="mexHttpBinding" name="QueueMetadataEndpoint"
contract="IMetadataExchange" />
</service>
...
<behavior name="OMWebServices.QueueServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
这是客户端配置:
<endpoint address="https://.../QueueService.svc" binding="basicHttpBinding" bindingConfiguration="QueueSecuredEndpoint" behaviorConfiguration="OMServiceBehavior" contract="OMQueueService.IQueueService" name="QueueSecuredEndpoint" />
<binding name="QueueSecuredEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
....
<!-- The behavior I tried that didn't make a difference -->
<behavior name="OMServiceBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" allowNtlm="True"/>
</clientCredentials>
</behavior>
我的第一个问题是,此错误消息真正告诉我什么?它说客户端方案是协商的,服务器的响应是协商的,NTLM.如果服务器提供了协商"功能,而客户端正在使用协商"功能,那有什么问题?
My first question is, what is this error message really telling me? It says the client scheme is Negotiate and the server's responding with Negotiate,NTLM. If the server offers Negotiate and and client is using Negotiate, what's the problem?
显然,第二个问题是什么地方出了问题,我该如何运作?
Second question is, obviously, what's wrong and how do I make it work?
编辑
好吧,这很愚蠢.问题似乎是没有通过凭据.回到网站开发时,我开始编写代码以在代码中显式设置凭据,但是在此过程中,
EDIT
Well this is stupid. The problem seems to be there are no credentials being passed. Way back when the web site was in development, I started writing code to explicitly set the credentials in code, but in the process, found that it was already working without explicitly setting them. So that code has remained commented out. This was running on IIS 6. Now running on IIS 7, it seems to only work if I explicitly set the credentials in my code. Can I get it automatically using the w3wp process' account?
推荐答案
要回答第一个问题,错误消息将告诉我它的确切含义.我没有被授权.该行告诉我客户端身份验证方案和服务器标头只是额外的信息,而不是冲突的指示.实际上是在确认配置正确.
To answer the first question, the error message is telling me exactly what it says; I'm not authorized. The line telling me the client authentication scheme and server header is just extra info, not an indication of a conflict. It's actually confirmation that the configuration is correct.
在登台环境中,此问题被掩盖了,因为WCF服务和Web应用程序托管在同一服务器上.问题在于,默认情况下,Web应用程序的站点配置为对匿名用户使用IUSR(或IUSR_Server)这是一个本地帐户.这是正在传递的用户(我相信它等于CredentialCache.DefaultNetworkCredentials).当它们位于不同的服务器上时,服务器2上的WCF显然无法对服务器1的用户进行身份验证.解决方案是在IIS中,右键单击匿名身份验证">编辑...">检查应用程序池标识"(在我的情况下是一个域帐户)或输入特定用户"的域帐户.
In the staging environment, the problem is being masked because the WCF service and the web application are hosted on the same server. The problem is the web app's site is configured to use IUSR (or IUSR_Server), a local account, for anonymous users by default. This is the user that is being passed (which I believe is equal to CredentialCache.DefaultNetworkCredentials). When they're on different servers, WCF on server 2 obviously can't authenticate a server 1 user. The solution is in IIS, right click Anonymous Authentication > Edit...> check Application pool identity (which is a domain account in my case) or enter a domain account for Specific user.
这篇关于401客户端“协商",服务器“协商,NTLM"调用WCF服务器到服务器时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
