HTTP 请求未经客户端身份验证方案“Ntlm"授权 [英] The HTTP request is unauthorized with client authentication scheme 'Ntlm'
问题描述
在调用 Web 服务时出现以下错误:
While calling a web service I get the following error:
HTTP 请求未经授权,客户端身份验证方案为NTLM".从服务器收到的身份验证标头是NTLM".HTTP 请求未经授权使用客户端身份验证方案NTLM".从服务器收到的身份验证标头是NTLM".
The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'. The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'.
我有一个 Silverlight 4 应用程序,它在我的 IIS (7) 上调用 WCF Web 服务.我的 WCF Web 服务使用 NTLM(Windows 身份验证)调用另一个安装在不同 Web 服务器上的 ASMX Web 服务.我的服务器和托管 ASMX 网络服务的服务器都在同一个域中.
I have a Silverlight 4 application that calls a WCF web service, both on my IIS (7). my WCF web service calls another ASMX web service, installed on a different web server, using NTLM (Windows Authentication). Both servers, mine and the one hosting the ASMX web service are in the same domain.
当 Silverlight 客户端使用 http://localhost/MySiteName 从服务器打开应用程序时,一切正常.但是,当 Silverlight 客户端使用 http://MyServerName/MySiteName 从不同的客户端(不是服务器但仍在同一域中)打开应用程序时,我收到错误消息.
When the Silverlight client opens the application from the server using http://localhost/MySiteName everything works fine. But when the Silverlight client opens the application from a different client, which is not the server but still in the same domain, using http://MyServerName/MySiteName then I get the error.
我的 IIS 中启用了 Windows 身份验证.我的 IIS 中禁用了匿名身份验证.
Windows Authentication is enabled in my IIS. Anonymous Authentication is disabled in my IIS.
调用我的 WCF Web 服务的绑定配置是:
Binding configuration for calling my WCF web service is:
<binding name="winAuthBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
调用ASMX web服务的绑定配置为:
Binding configuration for calling the ASMX web service is:
<binding name="ClNtlmBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
推荐答案
好的,以下是想到的事情:
OK, here are the things that come into mind:
- 可能在 IIS 上运行的 WCF 服务必须在具有调用 Web 服务的特权的安全上下文下运行.您需要确保应用池中的用户是域用户 - 最好是专用用户.
- 您不能使用模拟来使用用户的安全令牌通过模拟传递回 ASMX,因为
我的 WCF Web 服务调用另一个安装在 **不同** Web 服务器上的 ASMX Web 服务 - 尝试将
Ntlm更改为Windows并再次测试.
- Your WCF service presumably running on IIS must be running under the security context that has the privilege that calls the Web Service. You need to make sure in the app pool with a user that is a domain user - ideally a dedicated user.
- You can not use impersonation to use user's security token to pass back to ASMX using impersonation since
my WCF web service calls another ASMX web service, installed on a **different** web server - Try changing
NtlmtoWindowsand test again.
好的,关于模拟的几句话.基本上这是一个已知问题,您不能使用您获得到一台服务器的模拟令牌传递到另一台服务器.原因似乎是令牌是一种使用用户密码的哈希值,对生成的机器有效,因此不能从中间服务器使用.
OK, a few words on impersonation. Basically it is a known issue that you cannot use the impersonation tokens that you got to one server, to pass to another server. The reason seems to be that the token is a kind of a hash using user's password and valid for the machine generated from so it cannot be used from the middle server.
委托在 WCF 下是可能的(即将模拟从一个服务器转发到另一个服务器).在此处查看此主题.
Delegation is possible under WCF (i.e. forwarding impersonation from a server to another server). Look at this topic here.
这篇关于HTTP 请求未经客户端身份验证方案“Ntlm"授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
