WCF WsHttpBinding的SOAP安全协商失败 [英] WCF WSHttpBinding SOAP Security Negotiation Failed
问题描述
我已经使用,只是拒绝工作的WSHttpBinding得到了一个相当简单的WCF自承载服务。如果服务和客户端在同一台机器上运行没有任何问题,但只要我移动服务窗口服务器2008年客户端与失败的通信尝试
例外
[System.ServiceModel.Security.SecurityNegotiationException] {SOAP安全协商以http:// HVW-SVR-01 / SIT'为目标'的http:// HVW-SVR-01 / SIT'失败,请参阅内部。除了更多的细节。}
内部异常
[System.ComponentModel.Win32Exception] {安全支持提供程序接口(SSPI)协商失败,该服务器不能运行在一个账户身份主机/ HVW-SVR-01',如果服务器在运行服务帐户(网络服务为例),指定帐户的servicePrincipalName作为的EndpointAddress服务器的身份。如果服务器在用户帐户下运行,指定帐户的UserPrincipalName作为的EndpointAddress服务器的身份。}
由于这是自托管服务,我想我需要指定的UserPrincipalName,但无论我怎么努力为财产,它只是将无法正常工作。
- 域\用户名
- 域名@用户名
- 主机/本地主机
- 主机/ HVW-SVR-01
- ...等
尝试着用不同的用户帐户藏汉,包括内置的管理员。如果我尝试basicHttpBinding的,而不是WsHttpBinding的一切都将按预期。我读吨关于谷歌(和计算器)这个问题的文章,但我还是不明白是什么问题以及如何指定的身份。
编辑:服务的app.config
< system.serviceModel>
<服务>
<服务名称=SIT.Communication.Gate>
<主机>
< baseAddresses>
<新增baseAddress =HTTP://本地主机:2323 / SIT/>
< / baseAddresses>
< /主机>
<端点地址=绑定=的wsHttpBinding合同=SIT.Core.IGate>
<身份>
< DNS值=本地主机/>
<通过UserPrincipalName值=XZDom \ DGrain/>
< /身分>
< /端点>
<端点地址=MEX绑定=mexHttpBinding合同=IMetadataExchange接口/>
< /服务>
< /服务>
<行为>
< serviceBehaviors>
<行为>
< serviceMetadata httpGetEnabled =真/>
< serviceDebug includeExceptionDetailInFaults =真/>
< /行为>
< / serviceBehaviors>
< /行为>
编辑:客户本身基本上是这样code片段
的ChannelFactory< IGATE> sitFactory =新的ChannelFactory< IGATE>(新的WSHttpBinding(),新的EndpointAddress(HTTP:// HVW-SVR-01:2323 / SIT)); IGATE sitProxy = sitFactory.CreateChannel(); 布尔乒乓= sitProxy.Ping(); < ------抛出异常
要启用协商过程以选择Kerberos网络身份验证协议,客户端应用程序必须提供SPN,用户主体名称(UPN),或NetBIOS帐户名作为目标名称。如果客户应用不提供目标名称,协商过程中不能使用Kerberos协议。如果在协商过程不能使用Kerberos协议,协商过程选择NTLM协议。
在跨域,Kerberos的已被使用。由于服务正在运行作为本地系统帐户,一个SPN的身份,必须在客户端为目标名称中使用。
有关更多情报,请阅读 http://support.microsoft.com/kb/929650
希望这有助于!
I've got a fairly simple WCF self-hosted service using the WSHttpBinding that just refuses to work. If service and client runs on the same machine there's no problem, but as soon as I move the service to the window-server 2008 the client fails the communication attempts with
EXCEPTION
[System.ServiceModel.Security.SecurityNegotiationException] {"SOAP security negotiation with 'http://hvw-svr-01/SIT' for target 'http://hvw-svr-01/SIT' failed. See inner exception for more details."}
INNER EXCEPTION
[System.ComponentModel.Win32Exception] {"The Security Support Provider Interface (SSPI) negotiation failed. The server may not be running in an account with identity 'host/hvw-svr-01'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server."}
Since it's a self-hosted service I suppose I need to specify the UserPrincipalName, but no matter what I try for that property it just won't work.
- domain\username
- domain@username
- host/localhost
- host/hvw-svr-01
- ... and so on
Tried it with different user accounts aswell, including the built-in Administrator. If I try BasicHttpBinding instead of WSHttpBinding everything works as expected. I read tons of articles about that problem on google (and stackoverflow) but I still cannot figure what the problem is and how to specify that identity.
Edit: Service App.Config
<system.serviceModel>
<services>
<service name="SIT.Communication.Gate">
<host>
<baseAddresses>
<add baseAddress="http://localhost:2323/SIT" />
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" contract="SIT.Core.IGate">
<identity>
<dns value="localhost"/>
<userPrincipalName value="XZDom\DGrain"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
Edit: The Client itself is basically just this code fragment
ChannelFactory<IGate> sitFactory = new ChannelFactory<IGate>(new WSHttpBinding(), new EndpointAddress("http://hvw-svr-01:2323/SIT")); IGate sitProxy = sitFactory.CreateChannel(); bool pong = sitProxy.Ping(); <------ throws exception
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.
In cross-domain, kerberos has to be used. Since service is running as local system account, a SPN identity has to be used on the client side for the target name.
For more informaiton, read http://support.microsoft.com/kb/929650
Hope this helps!
这篇关于WCF WsHttpBinding的SOAP安全协商失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!