netTCP绑定肥皂安全谈判失败 [英] netTCP binding Soap Security Negotiation Failed

问题描述

我正在写一个WCF服务需要模拟和会话。

当我尝试在我的本地机器上调用它，但是在远程机器总是失败，出现这样的错误：

安全支持提供程序接口（SSPI）身份验证失败。服务器可能没有在具有身份host / hostname的帐户中运行。如果服务器在服务帐户（例如网络服务）中运行，请在服务器的EndpointAddress中指定帐户的ServicePrincipalName作为身份。如果服务器在用户帐户中运行，请在服务器的EndpointAddress中指定帐户的UserPrincipalName作为身份。

如果我提供这是我的配置：

服务器配置（APP） ：

 < system.serviceModel> 
<行为> 
< serviceBehaviors> 
< behavior name =default> 
< serviceMetadata httpGetEnabled =true/> 
< serviceDebug includeExceptionDetailInFaults =true/> 
< serviceAuthorization impersonateCallerForAllOperations =true/> 
< / behavior> 
< / serviceBehaviors> 
< / behavior> 
< bindings> 
< netTcpBinding> 
< binding name =DataService.netTcpBinding> 
< readerQuotas maxArrayLength =65535maxBytesPerRead =2147483647maxStringContentLength =2147483647/> 
< reliableSession enabled =trueinactiveivityTimeout =24:00:00ordered =true/> 
< security mode =TransportWithMessageCredential> 
< message clientCredentialType =Windows/> 
< transport clientCredentialType =Windows/> 
< / security> 
< / binding> 
< / netTcpBinding> 
< / bindings> 
< serviceHostingEnvironment aspNetCompatibilityEnabled =truemultipleSiteBindingsEnabled =true/> 
< services> 
< service behaviorConfiguration =defaultname =DataService.DataService> 
< endpoint address =binding =netTcpBindingbindingConfiguration =DataService.netTcpBinding
 name =DataService.DataServicecontract =DataService.IDataService/> 
< endpoint address =mexbinding =mexTcpBindingcontract =IMetadataExchange/> 
< host> 
< baseAddresses> 
< add baseAddress =http：// address：4504 //> 
< add baseAddress =net.tcp：// address：4503 //> 
< / baseAddresses> 
< / host> 
< / service> 
< / services> 
< /system.serviceModel> 
  

客户端配置：

 <？xml version =1.0encoding =utf-8？> 
< configuration> 
< system.serviceModel> 
< bindings> 
< netTcpBinding> 
< binding name =DataService.DataServicecloseTimeout =00:01:00
 openTimeout =00:01:00receiveTimeout =00:10:00sendTimeout =00： 01:00
 transactionFlow =falsetransferMode =缓冲transactionProtocol =OleTransactions
 hostNameComparisonMode =StrongWildcardlistenBacklog =10
 maxBufferPoolSize =524288maxBufferSize =65536 maxConnections =10
 maxReceivedMessageSize =65536> 
< readerQuotas maxDepth =32maxStringContentLength =8192maxArrayLength =16384
 maxBytesPerRead =4096maxNameTableCharCount =16384/> 
< reliableSession ordered =trueinactivityTimeout =24.00：00：00
 enabled =true/> 
< security mode =TransportWithMessageCredential> 
< transport clientCredentialType =WindowsprotectionLevel =EncryptAndSign/> 
< message clientCredentialType =WindowsalgorithmSuite =Default/> 
< / security> 
< / binding> 
< / netTcpBinding> 
< / bindings> 
< client> 
< endpoint address =net.tcp：// address：4503 /binding =netTcpBinding
 bindingConfiguration =DataService.DataService
 contract =ataService.IDataServicename = DataService.DataService > 
< identity> 
< dns value =DOMAIN/> 
< / identity> 
< / endpoint> 
< / client> 
< /system.serviceModel> 
< / configuration> 
  

任何帮助将不胜感激。

解决方案

Windows服务使用用户主体名称或服务主体名称注册自己（文档）。要引用该链接：如果服务在LocalSystem，LocalService或NetworkService帐户下运行，则默认情况下会以主机/形式生成服务主体名称（SPN），因为这些帐户可以访问计算机的SPN数据，如果服务运行在不同的帐户下，Windows Communication Foundation（WCF）将以@形式生成一个UPN。实际上，这个引用与你的错误消息所说的相似。所以似乎...

a）如果服务是在本地服务帐户或类似的标准帐户下运行，那么您需要调整您的客户端配置文件具有这一点，实际服务器的名称是地址，端点在端口4503上运行：

 <同一性GT; 
< servicePrincipalName value =host / address：4503/> 
< / identity> 
  

b）交替地，如果您正在专门的服务帐户下运行（我们称之为ServiceAccount域MyDomain），那么你想要

 < identity> 
< userPrincipalName value =ServiceAccount @ MyDomain/> 
< / identity> 
  

请注意，您可能需要在两种情况下使用完全合格的域名，包括Forest和树级别。对于您的私有LAN / WAN中的简单域名，这意味着address.MyDomain.local和ServiceAccount@MyDomain.local。如果你的域名是MyTree的树，那么它将是ServiceAccount@MyDomain.MyTree.local;如果在名为MyForest的林中，那么它将是Serviceaccount@MyDomain.MyTree.MyForest.local（和ServicePrincipalName类似）。需要完全限定名称当您正在使用Kerberos 进行身份验证。

I am writing a WCF service requires impersonate and session.

It is ok when I tried to call it on my local machine, but on the remote machine it always failed with such error:

Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/hostname'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

If I provided a upn, it throws an identity failed exception.

Here is my config:

Server Config(APP):

<system.serviceModel>    
    <behaviors>
      <serviceBehaviors>
        <behavior name="default">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization impersonateCallerForAllOperations="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <netTcpBinding>
        <binding name="DataService.netTcpBinding">
          <readerQuotas maxArrayLength="65535" maxBytesPerRead="2147483647" maxStringContentLength="2147483647"/>
          <reliableSession enabled="true" inactivityTimeout="24:00:00" ordered="true"/>          
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Windows" />
            <transport clientCredentialType="Windows"/>          
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>
    <services>
      <service behaviorConfiguration="default" name="DataService.DataService">
        <endpoint address="" binding="netTcpBinding" bindingConfiguration="DataService.netTcpBinding" 
          name="DataService.DataService" contract="DataService.IDataService"/>
        <endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="http://address:4504/"/>
            <add baseAddress="net.tcp://address:4503/"/>
          </baseAddresses>
        </host>
      </service>
    </services>
</system.serviceModel>

Client Config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>     
        <bindings>
            <netTcpBinding>
                <binding name="DataService.DataService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
                    hostNameComparisonMode="StrongWildcard" listenBacklog="10"
                    maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
                    maxReceivedMessageSize="65536">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="24.00:00:00"
                        enabled="true" />
                    <security mode="TransportWithMessageCredential">
                        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
                        <message clientCredentialType="Windows" algorithmSuite="Default" />
                    </security>
                </binding>
            </netTcpBinding>
        </bindings>
        <client>
            <endpoint address="net.tcp://address:4503/" binding="netTcpBinding"
                bindingConfiguration="DataService.DataService"
                contract="ataService.IDataService" name="DataService.DataService">
              <identity>
                <dns value="DOMAIN"/>                                                  
              </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

Any help would be greatly appreciated.

解决方案

Windows services register themselves with either a User Principal Name or a Service Principal Name (documentation). To quote from that link: "If the service is running under the LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of host/ because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of @." In fact, this quote is rather similar to what your error message is stating. So it seems that...

a) if the service is running under the Local Service account or similar standard account, then you need to adjust your client configuration file to have this, where the actual server's name is "address" and the endpoint is running on port 4503:

<identity>
     <servicePrincipalName value="host/address:4503" />
</identity>

b) alternately, if you are running under a dedicated service account (let's call it "ServiceAccount" on the domain "MyDomain"), then you want

<identity>
     <userPrincipalName value="ServiceAccount@MyDomain" />
</identity>

Please note that you may need to use the fully-qualified domain name in both cases, including the Forest and Tree levels. For a simple domain inside of your private LAN/WAN, that will mean address.MyDomain.local and ServiceAccount@MyDomain.local. If your domain is in a tree called MyTree then it will be ServiceAccount@MyDomain.MyTree.local; if that is in a forest called MyForest then it will be Serviceaccount@MyDomain.MyTree.MyForest.local (and similar for ServicePrincipalName). The fully-qualified name is needed when you are using Kerberos for authentication.

这篇关于netTCP绑定肥皂安全谈判失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！