HTTP 请求未经授权使用客户端身份验证方案“Ntlm" 从服务器收到的身份验证标头是“NTLM" [英] The HTTP request is unauthorized with client authentication scheme 'Ntlm' The authentication header received from the server was 'NTLM'

问题描述

我知道在 SO 上有很多与此类似的问题，但我找不到针对此特定问题的问题.

I know there's a lot of questions on SO similar to this, but I couldn't find one for this particular issue.

首先说明几点:

• 我无法控制我们的 Sharepoint 服务器.我无法调整任何 IIS 设置.
• 我相信我们的 IIS 服务器版本是 IIS 7.0.
• 我们的 Sharepoint 服务器正在预测通过 NTLM 的请求.
• 我们的 Sharepoint 服务器与我的客户端计算机在同一个域中.
• 我使用的是 .NET Framework 3.5、Visual Studio 2008

• I have no control over our Sharepoint server. I cannot tweak any IIS settings.
• I believe our IIS server version is IIS 7.0.
• Our Sharepoint Server is anticipating requests via NTLM.
• Our Sharepoint Server is on the same domain as my client computer.
• I am using .NET Framework 3.5, Visual Studio 2008

我正在尝试编写一个简单的控制台应用程序来使用 Sharepoint Web 服务操作 Sharepoint 数据.我已经添加了服务引用，以下是我的 app.config:

I am trying to write a simple console app to manipulate Sharepoint data using Sharepoint Web Services. I have added the Service Reference, and the following is my app.config:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="ListsSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
                receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://subdomain.companysite.com/subsite/_vti_bin/Lists.asmx"
            binding="basicHttpBinding" bindingConfiguration="ListsSoap"
            contract="ServiceReference1.ListsSoap" name="ListsSoap" />
    </client>
</system.serviceModel>

这是我的代码:

static void Main(string[] args)
{
    using (var client = new ListsSoapClient())
    {
        client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password", "domain");
        client.GetListCollection();
    }
}

当我调用 GetListCollection() 时，会抛出以下 MessageSecurityException:

When I call GetListCollection(), the following MessageSecurityException gets thrown:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
The authentication header received from the server was 'NTLM'.

带有内部 WebException:

With an inner WebException:

"The remote server returned an error: (401) Unauthorized."

我尝试了各种绑定和各种代码调整以尝试正确进行身份验证，但无济于事.我会在下面列出这些.

I've tried various bindings and various code tweaks to try to authenticate properly, but to no avail. I'll list those below.

在创建客户端之前使用本机 Win32 Impersonator

using (new Impersonator.Impersonator("username", "password", "domain"))
using (var client = new ListsSoapClient())
{
    client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("dpincas", "password", "domain");
    client.GetListCollection();
}

这产生了相同的错误消息.

This produced the same error message.

为我的客户凭据设置 TokenImpersonationLevel

using (var client = new ListsSoapClient())
{
    client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
    client.GetListCollection();
}

这产生了相同的错误消息.

This produced the same error message.

使用安全模式=TransportCredentialOnly

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Ntlm" />
</security>

这导致了不同的错误消息:

This resulted in a different error message:

The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via

但是，我需要使用 https，所以我不能更改我的 URI 方案.

However, I need to use https, so I cannot change my URI scheme.

我已经尝试了一些我不记得的其他组合，但是当我这样做时我会发布它们.我真的无所适从.我在 Google 上看到很多链接都说切换到 Kerberos"，但我的服务器似乎只接受 NTLM，而不是协商".(就像它在寻找 Kerberos 时所说的那样)，所以不幸的是，这不是一个选项.

I've tried some other combinations that I can't remember, but I'll post them when I do. I'm really at wits end here. I see a lot of links on Google that say "switch to Kerberos", but my server seems to only be accepting NTLM, not "Negotiate" (as it would say if it was looking for Kerberos), so that is unfortunately not an option.

有什么帮助吗，伙计们?

Any help out there, folks?

推荐答案

经过多次尝试和错误，然后我等待机会与我们的服务器人员交谈的停滞期，我终于有机会讨论并询问他们是否不介意将我们的 Sharepoint 身份验证切换到 Kerberos.

After a lot of trial and error, followed by a stagnant period while I waited for an opportunity to speak with our server guys, I finally had a chance to discuss the problem with them and asked them if they wouldn't mind switching our Sharepoint authentication over to Kerberos.

令我惊讶的是，他们说这不会成为问题，而且实际上很容易做到.他们启用了 Kerberos 并且我修改了我的 app.config 如下:

To my surprise, they said this wouldn't be a problem and was in fact easy to do. They enabled Kerberos and I modified my app.config as follows:

<security mode="Transport">
    <transport clientCredentialType="Windows" />
</security>

作为参考，我在 app.config 中的完整 serviceModel 条目如下所示:

For reference, my full serviceModel entry in my app.config looks like this:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="TestServerReference" closeTimeout="00:01:00" openTimeout="00:01:00"
             receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
             bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
             maxBufferSize="2000000" maxBufferPoolSize="2000000" maxReceivedMessageSize="2000000"
             messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
             useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Transport">
                    <transport clientCredentialType="Windows" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://path/to/site/_vti_bin/Lists.asmx"
         binding="basicHttpBinding" bindingConfiguration="TestServerReference"
         contract="TestServerReference.ListsSoap" name="TestServerReference" />
    </client>
</system.serviceModel>

在此之后，一切都像魅力一样.我现在(终于！)可以使用 Sharepoint Web 服务了.因此，如果其他人无法让他们的 Sharepoint Web 服务与 NTLM 一起使用，请查看您是否可以说服系统管理员切换到 Kerberos.

After this, everything worked like a charm. I can now (finally!) utilize Sharepoint Web Services. So, if anyone else out there can't get their Sharepoint Web Services to work with NTLM, see if you can convince the sysadmins to switch over to Kerberos.

这篇关于HTTP 请求未经授权使用客户端身份验证方案“Ntlm" 从服务器收到的身份验证标头是“NTLM"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！