使用客户端身份验证方案"Ntlm"对HTTP请求进行了未授权.从服务器收到的身份验证标头为"NTLM" [英] The HTTP request is unauthorized with client authentication scheme 'Ntlm' The authentication header received from the server was 'NTLM'

问题描述

我知道在SO上有很多与此类似的问题，但我找不到针对此特定问题的一个问题.

I know there's a lot of questions on SO similar to this, but I couldn't find one for this particular issue.

首先要注意几点:

• 我无法控制我们的Sharepoint服务器.我无法调整任何IIS设置.
• 我相信我们的IIS服务器版本是IIS 7.0.
• 我们的Sharepoint服务器正在通过NTLM预期请求.
• 我们的Sharepoint服务器与我的客户端计算机位于同一域中.
• 我正在使用.NET Framework 3.5，Visual Studio 2008

• I have no control over our Sharepoint server. I cannot tweak any IIS settings.
• I believe our IIS server version is IIS 7.0.
• Our Sharepoint Server is anticipating requests via NTLM.
• Our Sharepoint Server is on the same domain as my client computer.
• I am using .NET Framework 3.5, Visual Studio 2008

我正在尝试编写一个简单的控制台应用程序，以使用Sharepoint Web服务来操纵Sharepoint数据.我已经添加了服务参考，以下是我的app.config:

I am trying to write a simple console app to manipulate Sharepoint data using Sharepoint Web Services. I have added the Service Reference, and the following is my app.config:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="ListsSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
                receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://subdomain.companysite.com/subsite/_vti_bin/Lists.asmx"
            binding="basicHttpBinding" bindingConfiguration="ListsSoap"
            contract="ServiceReference1.ListsSoap" name="ListsSoap" />
    </client>
</system.serviceModel>

这是我的代码:

static void Main(string[] args)
{
    using (var client = new ListsSoapClient())
    {
        client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password", "domain");
        client.GetListCollection();
    }
}

当我调用GetListCollection()时，抛出以下 MessageSecurityException :

When I call GetListCollection(), the following MessageSecurityException gets thrown:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
The authentication header received from the server was 'NTLM'.

带有内部WebException:

With an inner WebException:

"The remote server returned an error: (401) Unauthorized."

我尝试了各种绑定和各种代码调整，以尝试正确进行身份验证，但无济于事.我将在下面列出.

I've tried various bindings and various code tweaks to try to authenticate properly, but to no avail. I'll list those below.

在创建客户端之前使用本机Win32模拟器

using (new Impersonator.Impersonator("username", "password", "domain"))
using (var client = new ListsSoapClient())
{
    client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("dpincas", "password", "domain");
    client.GetListCollection();
}

这会产生相同的错误消息.

This produced the same error message.

为我的客户凭据设置TokenImpersonationLevel

using (var client = new ListsSoapClient())
{
    client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
    client.GetListCollection();
}

这会产生相同的错误消息.

This produced the same error message.

使用安全模式=仅传输凭据

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Ntlm" />
</security>

这导致了不同的错误消息:

This resulted in a different error message:

The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via

但是，我需要使用https，所以我无法更改URI方案.

However, I need to use https, so I cannot change my URI scheme.

我尝试了一些其他我不记得的组合，但是我会在发布时发布它们.我真的很机智.我在Google上看到很多链接，上面写着切换到Kerberos"，但是我的服务器似乎只接受NTLM，而不是"Negotiate"(就好像它正在寻找Kerberos一样)，因此很遗憾，这不是一个选择

I've tried some other combinations that I can't remember, but I'll post them when I do. I'm really at wits end here. I see a lot of links on Google that say "switch to Kerberos", but my server seems to only be accepting NTLM, not "Negotiate" (as it would say if it was looking for Kerberos), so that is unfortunately not an option.

伙计们，那里有帮助吗?

Any help out there, folks?

推荐答案

经过反复的尝试，然后停滞了一段时间，而我等待机会与我们的服务器人员交谈，我终于有机会讨论了他们的问题，问他们是否不介意将我们的Sharepoint身份验证切换到Kerberos.

After a lot of trial and error, followed by a stagnant period while I waited for an opportunity to speak with our server guys, I finally had a chance to discuss the problem with them and asked them if they wouldn't mind switching our Sharepoint authentication over to Kerberos.

令我惊讶的是，他们说这不是问题，实际上很容易做到. 他们启用了Kerberos ，我按如下所示修改了我的app.config:

To my surprise, they said this wouldn't be a problem and was in fact easy to do. They enabled Kerberos and I modified my app.config as follows:

<security mode="Transport">
    <transport clientCredentialType="Windows" />
</security>

作为参考，我在app.config中的完整serviceModel条目如下所示:

For reference, my full serviceModel entry in my app.config looks like this:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="TestServerReference" closeTimeout="00:01:00" openTimeout="00:01:00"
             receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
             bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
             maxBufferSize="2000000" maxBufferPoolSize="2000000" maxReceivedMessageSize="2000000"
             messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
             useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://path/to/site/_vti_bin/Lists.asmx"
         binding="basicHttpBinding" bindingConfiguration="TestServerReference"
         contract="TestServerReference.ListsSoap" name="TestServerReference" />
    </client>
</system.serviceModel>

在此之后，一切都变得像魅力.现在，我可以(终于！)利用Sharepoint Web服务.因此，如果其他任何人都无法使他们的Sharepoint Web服务与NTLM一起使用，请查看您是否可以说服系统管理员切换到Kerberos.

After this, everything worked like a charm. I can now (finally!) utilize Sharepoint Web Services. So, if anyone else out there can't get their Sharepoint Web Services to work with NTLM, see if you can convince the sysadmins to switch over to Kerberos.

这篇关于使用客户端身份验证方案"Ntlm"对HTTP请求进行了未授权.从服务器收到的身份验证标头为"NTLM"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！