Sharepoint服务器上托管的ASP.NET Web App的Sharepoint 2007 NTLM问题 [英] Sharepoint 2007 NTLM issue with ASP.NET Web App hosted on Sharepoint server
问题描述
我将一个ASP.NET Web应用程序托管在一个Sharepoint 2007框上,该框将通过Web服务调用Sharepoint来检索文档位置(特别是GetListItems方法).
I'm hosting an ASP.NET web application on a Sharepoint 2007 box, which makes a web service call to Sharepoint to retrieve a document location (specifically, the GetListItems method).
通过具有适当权限的有效Sharepoint帐户的传递凭据来使用该服务.
The service is consumed with passed credentials of a valid Sharepoint account with appropriate permissions.
ListServiceWrapper listService = new ListServiceWrapper();
/*Pass credentials to service call object*/
listService.Credentials = new NetworkCredential(spUserName, spPassword, spDomain);
/*Set the Url property of the service for the path to a subsite.*/
listService.Url = ConfigurationManager.AppSettings.Get("rootSite") + "/_vti_bin/lists.asmx";
当Web应用程序在我的开发箱上本地运行(我是同一域中的Sharepoint用户)时,该服务调用效果很好.部署到共享点"框中后,应用程序将返回:
When the web app is run locally on my development box (I'm a Sharepoint user on the same domain), the service call works great. When deployed to the Sharepoint box, the application returns:
请求失败,并显示HTTP状态401:未经授权.
The request failed with HTTP status 401: Unauthorized.
我们已尝试将"Sharepoint"框中的Web应用程序的应用程序池"用户更改为授权的Sharepoint用户,但仍然没有任何运气.我认为,如果我们将Sharepoint身份验证更改为Kerberos而不是NTLM,它将解决此问题.不幸的是,这里不是一个选择.这可能与NLTM双跳问题有关?
We've tried to change the App Pool user of the web app on the Sharepoint box to an authorized Sharepoint user, but still haven't had any luck. I figure if we changed the Sharepoint authentication to Kerberos instead of NTLM, it would solve the issue. Unfortunately that isn't an option here. This possibly has something to do with the NLTM double-hop issue?
推荐答案
是的,这与双跳问题有关.
在NTLM中,不允许您对远程服务进行身份验证.如您所说,您将需要Kerberos才能将凭据委派给其他服务.
Yes, this is related to the double hop issue.
In NTLM, you are not allowed to authenticate to remote services. As you said, you'll need Kerberos to delegate credentials to other services.
您可以尝试的选项:
- 切换到Kerberos.这是唯一正确的解决方案,但这并不容易,因为您必须创建所有SPN并确保端口88已打开.
- 在SharePoint框中安装ASP.Net应用程序,然后激活 DisableLoopbackCheck
- 使用服务帐户登录SharePoint.在这种情况下,SharePoint不会在用户帐户下运行,因此您必须自己处理安全性
这篇关于Sharepoint服务器上托管的ASP.NET Web App的Sharepoint 2007 NTLM问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
