HTTP 请求未经客户端身份验证方案“Ntlm"授权.从服务器收到的身份验证标头是“协商,NTLM" [英] The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'
问题描述
我浏览了大量 SO 文章,甚至其他网站,但似乎无法使此服务正常工作.我有一个 SOAP 服务,我正在尝试使用它,它的配置如下:
I've looked through a ton of SO articles, and even other sites, but can't seem to get this service working. I have a SOAP service I'm trying to hit and it's configured like this:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="PROVIDERSSoapBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://xxx.xx.xx.xxx:9011/provider/services/PROVIDERS"
binding="basicHttpBinding" bindingConfiguration="PROVIDERSSoapBinding"
contract="ServiceReference1.ProviderRemote" name="PROVIDERS" />
</client>
</system.serviceModel>
但是,从我的控制台应用程序点击它时出现以下错误:
However, I'm getting the following error when hitting it from my console application:
HTTP 请求未经授权,客户端身份验证方案为Ntlm".从服务器收到的身份验证标头是协商,NTLM".
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'.
有人可以帮我吗?
推荐答案
您可以通过使用 wftech,这是一个旧工具,但我发现它在诊断身份验证问题方面很有用.wfetch 允许您指定 NTLM、Negotiate 和 kerberos,这可能有助于您更好地了解您的问题.当您尝试调用服务而 wfetch 对 WCF 一无所知时,我建议将您的终结点绑定 (PROVIDERSSoapBinding) 应用到 serviceMetadata 然后您可以使用相同的安全设置为服务执行 WSDL 的 HTTP GET.
You can eliminate the client from the problem by using wftech, this is an old tool but I have found it useful in diagnosing authentication issues. wfetch allows you to specify NTLM, Negotiate and kerberos, this may well help you better understand your problem. As you are trying to call a service and wfetch knows nothing about WCF, I would suggest applying your endpoint binding (PROVIDERSSoapBinding) to the serviceMetadata then you can do an HTTP GET of the WSDL for the service with the same security settings.
您可能可以使用的另一个选项是强制服务器使用 NTLM,您可以通过编辑元数据库 (IIS 6) 并删除协商设置来执行此操作,更多详细信息请参见 http://support.microsoft.com/kb/215383.
Another option, which may be available to you is to force the server to use NTLM, you can do this by either editing the metabase (IIS 6) and removing the Negotiate setting, more details at http://support.microsoft.com/kb/215383.
如果您使用的是 IIS 7.x,则方法略有不同,有关如何配置身份验证提供程序的详细信息在此处 http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication.
If you are using IIS 7.x then the approach is slightly different, details of how to configure the authentication providers are here http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication.
我注意到你用xxx.xx.xx.xxx屏蔽了服务器地址,所以我猜这是一个IP地址而不是服务器名称,这可能会导致身份验证问题,所以如果可能的话尝试以机器名称为目标.
I notice that you have blocked out the server address with xxx.xx.xx.xxx, so I'm guessing that this is an IP address rather than a server name, this may cause issues with authentication, so if possible try targeting the machine name.
很抱歉,我没有给您答案,而是提供了让您更接近问题的指示,但我希望它有所帮助.
Sorry that I haven't given you the answer but rather pointers for getting closer to the issue, but I hope it helps.
最后我会说我遇到了同样的问题,我唯一的办法是使用 Kerberos 而不是 NTLM,请不要忘记,如果您确实沿着这条路线走,则需要为该服务注册一个 SPN.
I'll finish by saying that I have experienced this same issue and my only recourse was to use Kerberos rather than NTLM, don't forget you'll need to register an SPN for the service if you do go down this route.
这篇关于HTTP 请求未经客户端身份验证方案“Ntlm"授权.从服务器收到的身份验证标头是“协商,NTLM"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
