netTCP绑定SOAP安全协商失败 [英] netTCP binding Soap Security Negotiation Failed
问题描述
我写一个WCF服务需要模仿和会话。
I am writing a WCF service requires impersonate and session.
这是确定当我试图把它叫做我的本地机器上,但在远程机器总是失败,这样的错误:
It is ok when I tried to call it on my local machine, but on the remote machine it always failed with such error:
安全支持提供程序接口(SSPI)身份验证失败。服务器可能不符合身份主机/主机名的帐户下运行。如果服务器是在服务帐户(网络服务为例)上运行,指定帐户的servicePrincipalName作为的EndpointAddress服务器的身份。如果服务器在用户帐户运行,指定帐户的UserPrincipalName作为的EndpointAddress服务器的身份。
Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/hostname'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
如果我提供。一个UPN,它抛出一个身份未能例外
If I provided a upn, it throws an identity failed exception.
下面是我的配置:
服务器配置(APP)
Server Config(APP):
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="default">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="DataService.netTcpBinding">
<readerQuotas maxArrayLength="65535" maxBytesPerRead="2147483647" maxStringContentLength="2147483647"/>
<reliableSession enabled="true" inactivityTimeout="24:00:00" ordered="true"/>
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Windows" />
<transport clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>
<services>
<service behaviorConfiguration="default" name="DataService.DataService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="DataService.netTcpBinding"
name="DataService.DataService" contract="DataService.IDataService"/>
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://address:4504/"/>
<add baseAddress="net.tcp://address:4503/"/>
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
客户端配置:
Client Config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="DataService.DataService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="24.00:00:00"
enabled="true" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" algorithmSuite="Default" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://address:4503/" binding="netTcpBinding"
bindingConfiguration="DataService.DataService"
contract="ataService.IDataService" name="DataService.DataService">
<identity>
<dns value="DOMAIN"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
任何帮助将不胜感激。
Any help would be greatly appreciated.
推荐答案
的Windows服务,无论是用户主要名称或服务主体名称(的文档)。为了从该链接引述如下:如果该服务在LocalSystem,本地服务或网络服务帐户下运行,默认情况下,在主机的形式生成的服务主体名称(SPN)/因为这些帐户可以访问计算机的SPN的数据,如果该服务在其他帐户下运行时,Windows通讯基础(WCF)的形式生成UPN @ 的其实,这句话是相当类似于您的错误消息指出。如此看来,...
Windows services register themselves with either a User Principal Name or a Service Principal Name (documentation). To quote from that link: "If the service is running under the LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of host/ because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of @." In fact, this quote is rather similar to what your error message is stating. So it seems that...
a)如果服务是本地服务帐户或类似的标准帐户下运行,那么您需要调整您的客户的配置文件有这样的,在实际服务器的名称为地址和端点在端口4503上运行:
a) if the service is running under the Local Service account or similar standard account, then you need to adjust your client configuration file to have this, where the actual server's name is "address" and the endpoint is running on port 4503:
<identity>
<servicePrincipalName value="host/address:4503" />
</identity>
B)另外,如果你是在一个专门的服务帐户下运行(我们称之为的ServiceAccount域MYDOMAIN),然后你想
b) alternately, if you are running under a dedicated service account (let's call it "ServiceAccount" on the domain "MyDomain"), then you want
<identity>
<userPrincipalName value="ServiceAccount@MyDomain" />
</identity>
请注意,您可能需要在这两种情况下使用完全合格的域名,其中包括森林和树的水平。对于您的私人局域网/广域网内的一个简单的域名,这将意味着address.MyDomain.local和ServiceAccount@MyDomain.local。如果您的域名是在一个名为MyTree那么这将是ServiceAccount@MyDomain.MyTree.local树;如果这是在一个称为MyForest林那么这将是Serviceaccount@MyDomain.MyTree.MyForest.local(和的servicePrincipalName类似)。完全限定的名字在需要时您正在使用Kerberos 一>进行身份验证。
Please note that you may need to use the fully-qualified domain name in both cases, including the Forest and Tree levels. For a simple domain inside of your private LAN/WAN, that will mean address.MyDomain.local and ServiceAccount@MyDomain.local. If your domain is in a tree called MyTree then it will be ServiceAccount@MyDomain.MyTree.local; if that is in a forest called MyForest then it will be Serviceaccount@MyDomain.MyTree.MyForest.local (and similar for ServicePrincipalName). The fully-qualified name is needed when you are using Kerberos for authentication.
这篇关于netTCP绑定SOAP安全协商失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
