HTTP请求是未经授权的客户端身份验证方案“NTLM”。从服务器接收的身份验证标头是“协商，NTLM” [英] The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'

问题描述

我已经通过一吨左右的文章，甚至其他的网站看了看，但似乎无法得到这种服务的工作。我有一个SOAP服务我想击中，它的配置是这样的：

I've looked through a ton of SO articles, and even other sites, but can't seem to get this service working. I have a SOAP service I'm trying to hit and it's configured like this:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
        <binding name="PROVIDERSSoapBinding">
            <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
            </security>
        </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://xxx.xx.xx.xxx:9011/provider/services/PROVIDERS"
            binding="basicHttpBinding" bindingConfiguration="PROVIDERSSoapBinding"
            contract="ServiceReference1.ProviderRemote" name="PROVIDERS" />
    </client>
</system.serviceModel>

不过，我从我的控制台应用程序打，当它收到以下错误

  

HTTP请求是未经授权的客户端身份验证方案NTLM。从服务器接收的身份验证标头是协商，NTLM。

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'.

有人可以帮我吗？

推荐答案

您可以通过使用 wftech ，这是一个古老的工具，但我发现它在诊断认证问题非常有用。 wfetch允许你指定NTLM，协商和Kerberos，这很可能帮助你更好地理解你的问题。当你试图调用服务和wfetch一无所知WCF，我建议将您的端点绑定（PROVIDERSSoapBinding）到的 serviceMetadata 的，那么你可以做的WSDL的HTTP GET具有相同的安全设置的服务。

You can eliminate the client from the problem by using wftech, this is an old tool but I have found it useful in diagnosing authentication issues. wfetch allows you to specify NTLM, Negotiate and kerberos, this may well help you better understand your problem. As you are trying to call a service and wfetch knows nothing about WCF, I would suggest applying your endpoint binding (PROVIDERSSoapBinding) to the serviceMetadata then you can do an HTTP GET of the WSDL for the service with the same security settings.

另一种选择，它可以提供给你的是通过编辑元数据库（IIS 6），并删除协商设置，在的http://support.microsoft.com/kb/215383 。

Another option, which may be available to you is to force the server to use NTLM, you can do this by either editing the metabase (IIS 6) and removing the Negotiate setting, more details at http://support.microsoft.com/kb/215383.

如果您使用的是IIS 7.x的那么的做法略有不同，如何配置身份验证提供者是这里<一个细节href="http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication">http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication.

If you are using IIS 7.x then the approach is slightly different, details of how to configure the authentication providers are here http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication.

我注意到你已经封锁了与xxx.xx.xx.xxx服务器地址，所以我猜，这是一个IP地址，而不是服务器名称，这可能会导致问题的认证，因此，如果可能的尝试针对机器名。

I notice that you have blocked out the server address with xxx.xx.xx.xxx, so I'm guessing that this is an IP address rather than a server name, this may cause issues with authentication, so if possible try targeting the machine name.

对不起，我没有给你答案，而是指针越来越接近这个问题，但我希望它能帮助。

Sorry that I haven't given you the answer but rather pointers for getting closer to the issue, but I hope it helps.

我会说，我都经历过同样的问题，我唯一的办法是使用Kerberos而不是NTLM，不要忘了，你需要注册一个SPN的服务，如果你沿着这条路走下去完成。

I'll finish by saying that I have experienced this same issue and my only recourse was to use Kerberos rather than NTLM, don't forget you'll need to register an SPN for the service if you do go down this route.

这篇关于HTTP请求是未经授权的客户端身份验证方案“NTLM”。从服务器接收的身份验证标头是“协商，NTLM”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！