无法与HttpClient的来验证的ASP.NET Web API服务 [英] Unable to authenticate to ASP.NET Web Api service with HttpClient

问题描述

我启用了与Windows身份验证的Web服务器上运行的ASP.NET Web API服务。

I have an ASP.NET Web API service that runs on a web server with Windows Authentication enabled.

我必须建立在MVC4客户网站，在使用HttpClient的从服务提取数据的同一个Web服务器上的其他站点运行。此客户端站点启用身份模拟运行，并且还使用Windows身份验证。

I have a client site built on MVC4 that runs in a different site on the same web server that uses the HttpClient to pull data from the service. This client site runs with identity impersonation enabled and also uses windows authentication.

该网站的服务器是Windows Server 2008 R2中与IIS 7.5。

The web server is Windows Server 2008 R2 with IIS 7.5.

我遇到的挑战是让HttpClient的通过当前的Windows用户作为其认证过程的一部分。我已经以这种方式配置HttpClient的：

The challenge I am having is getting the HttpClient to pass the current windows user as part of its authentication process. I have configured the HttpClient in this manner:

var clientHandler = new HttpClientHandler();
clientHandler.UseDefaultCredentials = true;
clientHandler.PreAuthenticate = true;
clientHandler.ClientCertificateOptions = ClientCertificateOption.Automatic;
var httpClient = new HttpClient(clientHandler);

我的理解是，运行启用身份假冒的网站，然后建立客户端以这种方式应该导致客户端使用的当前登录用户的模拟标识认证的服务。

My understanding is that running the site with identity impersonation enabled and then building the client in this manner should result in the client authenticating to the service using the impersonated identity of the currently logged in user.

这是不会发生。事实上，客户端似乎并没有在所有验证。

This is not happening. In fact, the client doesn't seem to be authenticating at all.

该服务被配置为使用Windows身份验证和这似乎很好地工作。我可以去 HTTP：//服务器/ API /发货人在我的网页浏览器并提示输入Windows身份验证，一旦进入我接收到的数据请求。

The service is configured to use windows authentication and this seems to work perfectly. I can go to http://server/api/shippers in my web browser and be prompted for windows authentication, once entered I receive the data requested.

在IIS日志中我看到正在接收的无认证和接收401质询响应的API请求。

In the IIS logs I see the API requests being received with no authentication and receiving a 401 challenge response.

在这一个文件似乎是稀疏。

Documentation on this one seems to be sparse.

我需要一些洞察到这可能是错误的或者另一种方式来使用Windows身份验证与此应用程序。

I need some insight into what could be wrong or another way to use windows authentication with this application.

感谢您，
克雷格

Thank You, Craig

推荐答案

我已经调查的来源$ C ​​$ C HttpClientHandler（最新版本我能得到我的手），这是什么可以在SendAsync找到方法：

I have investigated the source code of HttpClientHandler (the latest version I was able to get my hands on) and this is what can be found in SendAsync method:

// BeginGetResponse/BeginGetRequestStream have a lot of setup work to do before becoming async
// (proxy, dns, connection pooling, etc).  Run these on a separate thread.
// Do not provide a cancellation token; if this helper task could be canceled before starting then 
// nobody would complete the tcs.
Task.Factory.StartNew(startRequest, state);

现在如果您在$ C $内检查的C pssed SecurityContext.IsWindowsIdentityFlowSup $ P $的值（）你最可能会得到正确的。在结果StartRequest方法是在新线程与asp.net程序（而不是模拟的用户的凭据）的凭据执行。

Now if you check within your code the value of SecurityContext.IsWindowsIdentityFlowSuppressed() you will most probably get true. In result the StartRequest method is executed in new thread with the credentials of the asp.net process (not the credentials of the impersonated user).

有两种可能的方法出于此。如果你有机会到你的服务器aspnet_config.config，您应该设置下列设置（这些设置在web.config中似乎没有任何效果）：

There are two possible ways out of this. If you have access to yours server aspnet_config.config, you should set following settings (setting those in web.config seems to have no effect):

<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>

如果你不能改变aspnet_config.config你必须创建自己的HttpClientHandler以支持此方案。

If you can't change the aspnet_config.config you will have to create your own HttpClientHandler to support this scenario.

更新关于FQDN的使用

您已经在这里打的问题是Windows中的一项功能，旨在防止反射攻击。要解决这一点，你需要加入白名单，你正在尝试是试图访问服务器的计算机上访问域。请按照以下步骤进行：

The issue you have hit here is a feature in Windows that is designed to protect against "reflection attacks". To work around this you need to whitelist the domain you are trying to access on the machine that is trying to access the server. Follow below steps:

1. 点击开始 - >运行 - >注册表编辑器


2. 找到 HKEY_LOCAL_MACHINE \\系统\\ CurrentControlSet \\控制\\ LSA \\ MSV1_0 注册表项。


3. 右键点击它，选择的新的，然后的多字符串值的


4. 键入 BackConnectionHostNames （ ENTER 的）。


5. 右键单击刚刚创建的值，然后选择的修改的


6. 将主机名（S）为在数值框中的本地计算机上的网站（），点击的确定的（每个主机名/ FQDN必须在它自己的路线，没有通配符，名称必须是精确匹配）。


7. 保存一切，重新启动计算机

1. Go to Start --> Run --> regedit
2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 registry key.
3. Right-click on it, choose New and then Multi-String Value.
4. Type BackConnectionHostNames (ENTER).
5. Right-click just created value and choose Modify.
6. Put the host name(s) for the site(s) that are on the local computer in the value box and click OK (each host name/FQDN needs to be on it's own line, no wildcards, the name must be exact match).
7. Save everything and restart the machine

您可以阅读关于这里问题全KB文章。

You can read full KB article regarding the issue here.

这篇关于无法与HttpClient的来验证的ASP.NET Web API服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！