WCF WsHttpBinding的SOAP安全协商失败 [英] WCF WSHttpBinding SOAP Security Negotiation Failed

问题描述

我已经使用，只是拒绝工作的WSHttpBinding得到了一个相当简单的WCF自承载服务。如果服务和客户端在同一台机器上运行没有任何问题，但只要我移动服务窗口服务器2008年客户端与失败的通信尝试

  

例外

     

[System.ServiceModel.Security.SecurityNegotiationException] {SOAP安全协商以http：// HVW-SVR-01 / SIT'为目标'的http：// HVW-SVR-01 / SIT'失败，请参阅内部。除了更多的细节。}

     

内部异常

     

[System.ComponentModel.Win32Exception] {安全支持提供程序接口（SSPI）协商失败，该服务器不能运行在一个账户身份主机/ HVW-SVR-01'，如果服务器在运行服务帐户（网络服务为例），指定帐户的servicePrincipalName作为的EndpointAddress服务器的身份。如果服务器在用户帐户下运行，指定帐户的UserPrincipalName作为的EndpointAddress服务器的身份。}

由于这是自托管服务，我想我需要指定的UserPrincipalName，但无论我怎么努力为财产，它只是将无法正常工作。

• 域\用户名
• 域名@用户名
• 主机/本地主机
• 主机/ HVW-SVR-01
• ...等

尝试着用不同的用户帐户藏汉，包括内置的管理员。如果我尝试basicHttpBinding的，而不是WsHttpBinding的一切都将按预期。我读吨关于谷歌（和计算器）这个问题的文章，但我还是不明白是什么问题以及如何指定的身份。

编辑：服务的app.config

 ＆LT; system.serviceModel＆GT;
  ＆LT;服务＆GT;
     ＆LT;服务名称=SIT.Communication.Gate＆GT;
        ＆LT;主机＆GT;
           ＆LT; baseAddresses＆GT;
              ＆LT;新增baseAddress =HTTP：//本地主机：2323 / SIT/＆GT;
           ＆LT; / baseAddresses＆GT;
        ＆LT; /主机＆GT;
        ＆LT;端点地址=绑定=的wsHttpBinding合同=SIT.Core.IGate＆GT;
           ＆LT;身份＆GT;
              ＆LT; D​​NS值=本地主机/＆GT;
              ＆LT;通过UserPrincipalName值=XZDom \ DGrain/＆GT;
           ＆LT; /身分＆GT;
        ＆LT; /端点＆GT;
        ＆LT;端点地址=MEX绑定=mexHttpBinding合同=IMetadataExchange接口/＆GT;
     ＆LT; /服务＆GT;
  ＆LT; /服务＆GT;
  ＆LT;行为＆GT;
     ＆LT; serviceBehaviors＆GT;
        ＆LT;行为＆GT;
           ＆LT; serviceMetadata httpGetEnabled =真/＆GT;
           ＆LT; serviceDebug includeExceptionDetailInFaults =真/＆GT;
        ＆LT; /行为＆GT;
     ＆LT; / serviceBehaviors＆GT;
  ＆LT; /行为＆GT;
 

编辑：客户本身基本上是这样code片段

 的ChannelFactory＆LT; IGATE＆GT; sitFactory =新的ChannelFactory＆LT; IGATE＆GT;（新的WSHttpBinding（），新的EndpointAddress（HTTP：// HVW-SVR-01：2323 / SIT））;
        IGATE sitProxy = sitFactory.CreateChannel（）;
        布尔乒乓= sitProxy.Ping（）; ＆LT; ------抛出异常
 

解决方案

要启用协商过程以选择Kerberos网络身份验证协议，客户端应用程序必须提供SPN，用户主体名称（UPN），或NetBIOS帐户名作为目标名称。如果客户应用不提供目标名称，协商过程中不能使用Kerberos协议。如果在协商过程不能使用Kerberos协议，协商过程选择NTLM协议。

在跨域，Kerberos的已被使用。由于服务正在运行作为本地系统帐户，一个SPN的身份，必须在客户端为目标名称中使用。

有关更多情报，请阅读 http://support.microsoft.com/kb/929650

希望这有助于！

I've got a fairly simple WCF self-hosted service using the WSHttpBinding that just refuses to work. If service and client runs on the same machine there's no problem, but as soon as I move the service to the window-server 2008 the client fails the communication attempts with

EXCEPTION

[System.ServiceModel.Security.SecurityNegotiationException] {"SOAP security negotiation with 'http://hvw-svr-01/SIT' for target 'http://hvw-svr-01/SIT' failed. See inner exception for more details."}

INNER EXCEPTION

[System.ComponentModel.Win32Exception] {"The Security Support Provider Interface (SSPI) negotiation failed. The server may not be running in an account with identity 'host/hvw-svr-01'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server."}

Since it's a self-hosted service I suppose I need to specify the UserPrincipalName, but no matter what I try for that property it just won't work.

• domain\username
• domain@username
• host/localhost
• host/hvw-svr-01
• ... and so on

Tried it with different user accounts aswell, including the built-in Administrator. If I try BasicHttpBinding instead of WSHttpBinding everything works as expected. I read tons of articles about that problem on google (and stackoverflow) but I still cannot figure what the problem is and how to specify that identity.

Edit: Service App.Config

   <system.serviceModel>
  <services>
     <service name="SIT.Communication.Gate">
        <host>
           <baseAddresses>
              <add baseAddress="http://localhost:2323/SIT" />
           </baseAddresses>
        </host>
        <endpoint address="" binding="wsHttpBinding" contract="SIT.Core.IGate">
           <identity>
              <dns value="localhost"/>
              <userPrincipalName value="XZDom\DGrain"/>
           </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
     </service>
  </services>
  <behaviors>
     <serviceBehaviors>
        <behavior>
           <serviceMetadata httpGetEnabled="True"/>
           <serviceDebug includeExceptionDetailInFaults="True" />
        </behavior>
     </serviceBehaviors>
  </behaviors>

Edit: The Client itself is basically just this code fragment

        ChannelFactory<IGate> sitFactory = new ChannelFactory<IGate>(new WSHttpBinding(), new EndpointAddress("http://hvw-svr-01:2323/SIT"));
        IGate sitProxy = sitFactory.CreateChannel();
        bool pong = sitProxy.Ping(); <------ throws exception

解决方案

To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

In cross-domain, kerberos has to be used. Since service is running as local system account, a SPN identity has to be used on the client side for the target name.

For more informaiton, read http://support.microsoft.com/kb/929650

Hope this helps!

这篇关于WCF WsHttpBinding的SOAP安全协商失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！