CredentialCache.DefaultCredentials 不尊重带有 dotnet core 2.2 的 IIS 应用程序池凭据 [英] CredentialCache.DefaultCredentials isn't respecting IIS App Pool Credentials with dotnet core 2.2
问题描述
我需要从作为 ServiceAccountA 运行的 WebServiceA 向 WebServiceB 发出 Web 请求,并使用 NTLM 对其进行身份验证.这两个 Web 服务都是托管在 IIS 中的 dotnet core 2.2 API.ServiceAccountA 是在 IIS 应用程序池上设置的服务帐户.澄清一下,我不是在模仿.
我正在使用 RestSharp 库来发出 HttpClient 请求.
参见 NTLM 身份验证器:
I need to make a web request from WebServiceA running as ServiceAccountA to WebServiceB and have it authenticate using NTLM. Both web services are dotnet core 2.2 APIs hosted in IIS. ServiceAccountA is the service account set on the IIS App Pool. Just to be clear, I am NOT doing impersonation.
I'm using the RestSharp library to make HttpClient requests.
See NTLM Authenticator: https://github.com/restsharp/RestSharp/blob/master/RestSharp/Authenticators/NtlmAuthenticator.cs
The NTLM Authenticator with RestSharp uses System.Net.CredentialCache.DefaultCredentials. This works locally but after I deploy a dotnet core 2.2 web api to a windows server and host the app in IIS (in process) CredentialCache.DefaultCredentials is no longer working as expected. The WebServiceB is returning a 401.1 and when I check the IIS logs a service account is not being passed along after the challenge request.
I have tried using System.Net.CredentialCache.DefaultNetworkCredentials but I get the same issue. I confirmed that WebServiceB is working correctly with windows auth by hitting the service directly via a web browser and it authenticates my personal windows identity just fine.
I can see in task manager that the IIS worker process is indeed running as the correct Service Account. Is there a better or different way to pull the ICredentials object from the current running process?
To help people who have similar problem. I would like to post the answer here.
When you failed to authenticate NTLM with CredentialCache.DefaultCredentials. You could try to disable DisableLoopbackCheck.
1.Go to registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
2.Create a REG_DWORD(32-bit) named DisableLoopbackCheck=1
3.Please reboot the server to make it work.
这篇关于CredentialCache.DefaultCredentials 不尊重带有 dotnet core 2.2 的 IIS 应用程序池凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
