来自C#客户端的Apache NTLM Auth不适用于自定义的NetworkCredentials [英] Apache NTLM Auth from C# client do not work with self defined NetworkCredentials
问题描述
我有一个Office插件,可使用HttpWebRequest连接服务.
I have a office plugin that connect a service using HttpWebRequest.
在域内,我通过了CredentialCache.DefaultNetworkCredentials,所以一切都很好.
在域外,用户需要提供用户名,域和密码.
这在atm上不起作用.
Inside a domain I pass CredentialCache.DefaultNetworkCredentials so all is fine.
Outside a domain a user need to provide username, domain and password.
This don't work atm.
其中一部分代码:
CookieContainer cookies = new CookieContainer();
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = WebRequestMethods.Http.Post;
request.AllowAutoRedirect = true;
request.CookieContainer = cookies; // provide session cookie to handle redirects of login controller of the webservice
if (isWindowAuthentication) // isWindowAuthentication is set earlier by config
{
if (Common.UserName.Length > 0)
{
string[] domainuser;
string username;
string domain;
if (Common.UserName.Contains("@"))
{
domainuser = Common.UserName.Split('@');
username = domainuser[0];
domain = domainuser[1];
}
else
{
domainuser = Common.UserName.Split('\\');
username = domainuser[1];
domain = domainuser[0];
}
NetworkCredential nc = new NetworkCredential(username, Common.Password, domain);
CredentialCache cache = new CredentialCache();
cache.Add(request.RequestUri, "NTLM", nc);
request.Credentials = cache;
}
else
{
request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
}
稍后我会执行请求request.GetResponse();.
如果我使用CredentialCache.DefaultNetworkCredentials,那么一切正常.
当我切换到我自己的new NetworkCredential()部分时,身份验证就会失败.
Later on I do the request request.GetResponse();.
If I use CredentialCache.DefaultNetworkCredentials then everything works fine.
The moment I switch to my own new NetworkCredential() part the authentication fails.
我检查了Apache的日志(使用SSPI mod的是Apache 2.2). 成功后,第一个请求重定向到登录控制器,然后登录控制器请求凭据.通过并有效(重定向到目标站点).
I checked the logs of the Apache (it is Apache 2.2 using SSPI mod). When it succeed the first request redirect to the login controller, then the login controller request credentials. Passed and works (redirect to the target site).
日志1(有效):
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "POST /ror/ioi/start?document%5Bguid%5D=%7Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%7D HTTP/1.1" 302 202
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 401 401
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 401 401
192.168.14.9 - rausch [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 302 156
这里的凭证结果是日志2(无效):
The own credential results here Log 2 (do not work):
192.168.14.9 - - [25/Oct/2012:12:05:23 +0200] "POST /ror/ioi/start?document%5Bguid%5D=%7B6ac54e8a-19f1-4ccd-9684-8d864dd9ccf7%7D HTTP/1.1" 302 202
192.168.14.9 - - [25/Oct/2012:12:05:23 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257B6ac54e8a-19f1-4ccd-9684-8d864dd9ccf7%257D HTTP/1.1" 401 401
我不了解的是,例如当我检查CredentialCache.DefaultNetworkCredentials.UserName然后为空.
What I don't understand is when I inspect e.g. CredentialCache.DefaultNetworkCredentials.UserName then is is empty.
任何人都知道该怎么办以及我必须如何设置自己的凭据才能正确进行身份验证,以达到预期效果?
Anyone know what to do and how I have to set my own credentials correct that the authentication works as expected?
推荐答案
最后,经过大量的测试和调查以及堆栈溢出的大量资源,我发现了正在发生的事情.
Finally after a lot of testing and investigation and many resources on stack overflow I found out what is going on.
问题似乎是httpwebrequest在部分Webseite请求凭据而某些不请求凭据时不处理身份验证.
The problem seems to be that the httpwebrequest don't handle the authentication when parts of the webseite requests credentials and some don't.
背景:
我们的网站具有自己的会话管理,当没有有效的会话可用时,将重定向到登录控制器.仅此登录控制器设置为NTLM身份验证.
Our Site has its own session management and redirect to a login controller when no valid session is available. Only this login controller is set to NTLM authentication.
我们之所以这样做,是因为我们有一个根本没有NTLM身份验证的网站(IE中没有401、302请求循环!),并且仅进行了一次验证(并且我们在不同的url上进行身份验证,以防止IE停止在以下位置发布数据的问题)未经身份验证的站点=>请参见 http://support.microsoft.com/?id=251404).
This we made because we have a web site without NTLM auth at all (no 401, 302 request loops in IE!) and only validate once (and we handle authentication on different url to prevent the problem that IE stop posting data at non-authenticated sites => see http://support.microsoft.com/?id=251404).
解决方案:
我通常在目标页面上发送请求,然后网络服务器重定向,认证并重定向回目标.由于如果我设置了自己的凭据,httpwebrequest出于任何原因都不会处理该问题(请参见问题的上面的代码),所以我更改为对登录控制器进行一次身份验证并将该会话存储在cookie容器中的代码.
I normally sent a request on my target page and the webserver redirect, authenticate and redirect back to the target. As the httpwebrequest don't handle this for any reason if I have my own credentials set (see above code of my question) I changed to code to authenticate once to my login controller and store the session in a cookie container.
对于以下所有请求,我都不再接受.我添加了cookie容器,我的服务器获得了一个有效的会话.因此,我不再需要进行身份验证.这样副作用是更好的性能.
For all following request I don't autenticate at all anymore. I add the cookie container and my server gets a valid session. So I don't have to authenticate anymore. Sideeffect is better performance this way.
另一个棘手的事情是,我不仅使用httpwebrequest,而且还使用了Webform控件. 因此,我找到了在此处添加自己的cookie会话的解决方案:在WebBrowser中使用CookieContainer中的cookie (也感谢亚伦为我省了很多麻烦).
Another tricky thing was that I not only use httpwebrequest, I also use a webform control. Therefor I found the solution to add my own cookie session here: Use cookies from CookieContainer in WebBrowser (Thanks to Aaron who saved me a lot of trouble as well).
这篇关于来自C#客户端的Apache NTLM Auth不适用于自定义的NetworkCredentials的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
