WCF 客户端端点:没有 <dns> 的 SecurityNegotiationException [英] WCF client endpoint: SecurityNegotiationException without <dns>

问题描述

我在这里遇到了一个奇怪的情况.我让它工作了，但我不明白为什么.情况如下:

I'm having a strange situation here. I got it working, but I don't understand why. Situation is as follows:

我的应用程序(网站)必须调用 WCF 服务.WCF 服务公开 netTcpBinding 并需要传输安全性 (Windows).客户端和服务器在同一个域中，但在不同的服务器上.
因此，生成客户端会导致以下配置(主要是默认值)

There is a WCF service which my application (a website) has to call. The WCF service exposes a netTcpBinding and requires Transport Security (Windows). Client and server are in the same domain, but on different servers.
So generating a client results in the following config (mostly defaults)

<system.serviceModel>
    <bindings>
      <netTcpBinding>
         <binding name="MyTcpEndpoint" ...>          
              <reliableSession ordered="true" inactivityTimeout="00:10:00"
                              enabled="false" />
             <security mode="Transport">
                <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
                <message clientCredentialType="Windows" />
            </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <client> 
        <endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0" 
                   binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint" 
                   contract="Service.IMyService" name="TcpEndpoint"/>
    </client>
</system.serviceModel>

当我运行网站并调用服务时，出现以下错误:

When I run the website and make the call to the service, I get the following error:

System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
    --- End of inner exception stack trace ---
    at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
    at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
    at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradeAsyncResult.OnCompleteAuthenticateAsClient(IAsyncResult result)
    at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorAsyncResult.CompleteAuthenticateAsClient(IAsyncResult result)
    --- End of inner exception stack trace ---

Server stack trace: 
    at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
    at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
    at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
....

现在，如果我像这样改变客户端的配置:

Now, if I just alter the configuration of the client like so:

    <endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0" 
               binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint" 
               contract="Service.IMyService" name="TcpEndpoint">
        <identity>
            <dns />
        </identity> 
  </endpoint>

一切正常，我的服务器高兴地报告说它被托管我网站的 AppPool 的服务帐户调用了.一切都很好.

everything works and my server happily reports that it got called by the service account which hosts the AppPool for my website. All good.

我现在的问题是:为什么这行得通?这有什么作用?我只是通过反复试验得到了这个解决方案.在我看来，<dns/> 标签所做的一切似乎就是告诉客户端使用默认 DNS 进行身份验证，但它不是这样做的吗?

My question now is: why does this work? What does this do? I got to this solution by mere trial-and-error. To me it seems that all the <dns /> tag does is tell the client to use the default DNS for authentication, but doesn't it do that anyway?

更新
所以经过更多的研究和反复试验，我仍然没有找到这个问题的答案.在某些情况下，如果我不提供 <dns/>，我会收到 Credentials denied 错误，但如果我提供 <dnsvalue="whatever"/>config，它可以工作.为什么?

UPDATE
So after some more research and trial-and-error, I still haven't found an answer to this problem. In some cases, if I don't provide the <dns />, I get the Credentials rejected error, but if I provide the <dns value="whatever"/>config, it works. Why?

推荐答案

标签允许客户端验证服务器身份.例如，如果您说 <dns value="google.com"/> 它将验证 WCF 服务器是否提供 google.com 身份.既然你说 <dns/> 它可能只是让每个人都为你服务.

<dns/> tag allows the client to verify the server identity. For example if you said <dns value="google.com"/> it would verify that the WCF server provides google.com identity. Since you say <dns/> it probably just allows everybody to serve you.

在服务标识和身份验证

这篇关于WCF 客户端端点:没有 <dns> 的 SecurityNegotiationException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！