WCF 客户端端点:没有 <dns> 的 SecurityNegotiationException [英] WCF client endpoint: SecurityNegotiationException without <dns>
问题描述
我在这里遇到了一个奇怪的情况.我让它工作了,但我不明白为什么.情况如下:
I'm having a strange situation here. I got it working, but I don't understand why. Situation is as follows:
我的应用程序(网站)必须调用 WCF 服务.WCF 服务公开 netTcpBinding 并需要传输安全性 (Windows).客户端和服务器在同一个域中,但在不同的服务器上.
因此,生成客户端会导致以下配置(主要是默认值)
There is a WCF service which my application (a website) has to call. The WCF service exposes a netTcpBinding and requires Transport Security (Windows).
Client and server are in the same domain, but on different servers.
So generating a client results in the following config (mostly defaults)
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="MyTcpEndpoint" ...>
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint"/>
</client>
</system.serviceModel>
当我运行网站并调用服务时,出现以下错误:
When I run the website and make the call to the service, I get the following error:
System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
--- End of inner exception stack trace ---
at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradeAsyncResult.OnCompleteAuthenticateAsClient(IAsyncResult result)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorAsyncResult.CompleteAuthenticateAsClient(IAsyncResult result)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
....
现在,如果我像这样改变客户端的配置:
Now, if I just alter the configuration of the client like so:
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint">
<identity>
<dns />
</identity>
</endpoint>
一切正常,我的服务器高兴地报告说它被托管我网站的 AppPool 的服务帐户调用了.一切都很好.
everything works and my server happily reports that it got called by the service account which hosts the AppPool for my website. All good.
我现在的问题是:为什么这行得通?这有什么作用?我只是通过反复试验得到了这个解决方案.在我看来,<dns/>
标签所做的一切似乎就是告诉客户端使用默认 DNS 进行身份验证,但它不是这样做的吗?
My question now is: why does this work? What does this do? I got to this solution by mere trial-and-error. To me it seems that all the <dns />
tag does is tell the client to use the default DNS for authentication, but doesn't it do that anyway?
更新
所以经过更多的研究和反复试验,我仍然没有找到这个问题的答案.在某些情况下,如果我不提供 <dns/>
,我会收到 Credentials denied
错误,但如果我提供 <dnsvalue="whatever"/>
config,它可以工作.为什么?
UPDATE
So after some more research and trial-and-error, I still haven't found an answer to this problem.
In some cases, if I don't provide the <dns />
, I get the Credentials rejected
error, but if I provide the <dns value="whatever"/>
config, it works. Why?
推荐答案
标签允许客户端验证服务器身份.例如,如果您说 <dns value="google.com"/>
它将验证 WCF 服务器是否提供 google.com 身份.既然你说 <dns/>
它可能只是让每个人都为你服务.
<dns/>
tag allows the client to verify the server identity. For example if you said <dns value="google.com"/>
it would verify that the WCF server provides google.com identity. Since you say <dns/>
it probably just allows everybody to serve you.
这篇关于WCF 客户端端点:没有 <dns> 的 SecurityNegotiationException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!