401错误后,使用C#的Dynamics导航Web服务调用成功 [英] Dynamics NAV Web Service Call with C# succeeds after 401 errors
问题描述
我遇到一些奇怪的行为(这意味着我不了解发生了什么),并且如果可能的话,我希望获得一些帮助.
I'm experiencing some odd behaviour (meaning I don't understand what's happening) and I'd like some help fixing it if possible.
我们有一些Dynamics 365 NAV商业中心Web服务公开了带有SSL证书的安全性,我们正在使用某些标准C#代码进行访问.
We have some Dynamics 365 NAV Business Central web services exposed an secure with an SSL ceritificate, which we're accessing using some standard C# code.
我们已经将SOAP代理添加到ASP .NET Webforms应用程序中,并且一切正常.
We've added the SOAP proxy to an ASP .NET Webforms application and this is all working as expected.
然后,我们声明Web服务的实例,使用新的NetworkCredential实例设置凭据,并将Web服务设置为使用PreAuthenticate,然后在我们的服务上调用方法.
We then declare an instance of the web service, set the credentials using a new NetworkCredential instance, and set the web service to use PreAuthenticate, then call the method on our service.
public static bool CheckServiceStatus()
{
bool returnValue = false;
try
{
svcWebServiceServer webService = new svcWebServiceServer();
webService.Credentials = new NetworkCredential(Globals.WebServiceUsername, Globals.WebServicePassword, Globals.WebServiceDomain);
webService.PreAuthenticate = true;
webService.FncServiceStatus(ref returnValue);
}
catch (Exception ex)
{
LoggingFunctions.WriteMessageToDisk("CheckServiceStatus error : " + ex.Message);
}
return returnValue;
}
当我们在Fiddler中查看此日志时,会发现该服务被调用了两次.第一次调用时,我们收到401错误,提示我们必须使用NTLM,然后使用更长的NTLM密钥进行第二次调用,调用成功,我们得到了数据...
When we look at the logs for this in Fiddler, we se that the service is called twice. The first time the call is made, we get a 401 error which responds telling us we must use NTLM, the second call is then made with a longer NTLM key and the call succeeds and we get our data...
第一次尝试...
第二次尝试...
有人可以告诉我如何进行Web服务调用,以便首次进行身份验证吗?401s被作为DDOS风格的攻击被捕获,然后流量被阻止.
Can anyone tell me how to make the web service call so it authenticates first time? The 401s are being picked up as a DDOS style attack and then traffic is being blocked.
我尝试过更改凭据的传递方式,但这没什么关系...
I have tried changing the way the credentials are passed, but this has made no difference...
public static bool CheckServiceStatus()
{
bool returnValue = false;
try
{
svcWebServiceServer webService = new svcWebServiceServer();
CredentialCache credCache = new CredentialCache();
credCache.Add(new Uri(webService.Url), "NTLM", new NetworkCredential(Globals.WebServiceUsername, Globals.WebServicePassword, Globals.WebServiceDomain));
webService.Credentials = credCache;
webService.PreAuthenticate = true;
webService.FncServiceStatus(ref returnValue);
}
catch (Exception ex)
{
LoggingFunctions.WriteMessageToDisk("CheckServiceStatus error : " + ex.Message);
}
return returnValue;
}
推荐答案
As per this article - https://docs.microsoft.com/en-gb/archive/blogs/chiranth/ntlm-want-to-know-how-it-works - NTLM works in a challenge response manner.
第一次调用Web服务(即使您在credentialCache对象中指定了NTLM),似乎第一次请求是匿名发送的.
The first time the web service is called (even if you specify NTLM in a credentialCache object), it seems as though the first request is sent anonymously.
然后,服务器以401和一些WWW-Authenticate标头响应,该标头指定该服务需要通过NTLM进行身份验证的详细信息.这是第一个401.
The server then responds with a 401, and some WWW-Authenticate headers specifying that the service requires authentication details via NTLM. This is the first 401.
然后,客户端(C#应用程序)发送一个新请求,该请求包括NTLM标头,该标头包含代表用户名,计算机名和域的编码值.
The client (C# application) then sends a new request that includes the NTLM header which includes an encoded value representing the Username, computername and domain.
服务器将请求传递到身份验证服务器,该服务器会生成质询,并在另一个401响应中将其发送回客户端.这是第二个401.
The server passes the request on to the authenticating server which generates a challenge and this is sent back to the client, in another 401 response. This is the second 401.
一旦客户端接收到质询,它将根据质询和密码计算一个哈希值,然后将其发送回Web服务.身份验证服务器将此哈希与自己的哈希进行比较,并且-只要凭据正确,就通过身份验证,并返回200响应以及客户端最初进行的Web服务调用的结果.
Once the challenge is received by the client, it calculates a hash value based on the challenge and the password, which is sent back to the web service. The authenticating server compares this hash with its own hash, and - so long as the credentials are correct - passes authentication, and a 200 response is returned, along with the results of the web service call the client made initially.
当我们在代码中添加PreAuthenticate = true时,我们只需绕过第一步就直接传递NTLM用户名,计算机名和域.这样会将401的数量从2个减少到1个.
When we add PreAuthenticate = true to our code, we simply pass the NTLM username, computername and domain up front, bypassing the first step. This reduces the number of 401s from 2 to 1.
我并没有声称自己是认证领域的专家,但是在阅读了上面链接的页面并进行了一些测试之后,我们发现了这一点.如果有人想评论/纠正我,请随时.
I do not claim to be an expert in the field of authentication, but after reading the page linked above and carrying out a number of tests, this is what we have found. If anyone would like to comment/correct me, please feel free.
出于完整性考虑,我们已开始调查"UserName"Dynamics 265设置中的身份验证方法可访问Dynamics NAV 2018 Web服务,该身份验证将此身份验证传递到Dynamics NAV 365的控件,这意味着我们不会收到401s.但是,由于使用Digest,我们现在无法在浏览器中访问Web服务,并且我们似乎无法通过浏览器进行身份验证,并收到400个错误.
For completeness, we have started to investigate the "UserName" authentication method in the Dynamics 265 setup to access Dynamics NAV 2018 web services, which pass this authentication to the control to Dynamics NAV 365, which means we get no 401s. However, we are now unable to access the webservices in a browser as this uses Digest, and we seem to be unable to authenticate with the browser, and get 400 errors.
这篇关于401错误后,使用C#的Dynamics导航Web服务调用成功的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
