.NET Core 上的 WCF 在授权方案中缺少客户端协商方案

Posted

技术标签:

【中文标题】.NET Core 上的 WCF 在授权方案中缺少客户端协商方案【英文标题】:WCF on .NET Core missing client Negotiate scheme in authorization scheme 【发布时间】:2018-12-14 17:34:24 【问题描述】:

将 WCF 服务和 ASP.NET Core 网站移至服务器后,出现以下错误:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate, NTLM'.

我已使用以下 web.config 仅在 WCF 服务上启用了 Windows 身份验证:

<system.serviceModel>
    <client />
    <behaviors>
      <serviceBehaviors>
        <behavior name="authBehavior">
          <serviceAuthorization principalPermissionMode="UseWindowsGroups">
            <authorizationPolicies>
              <add policyType="WCF.AuthorizationPolicy, WCF" />
            </authorizationPolicies>
          </serviceAuthorization>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCF.IdentityValidator, WCF" />
            <serviceCertificate findValue="16E86CCAFFE6211DAE6E841B984F71FB7609D349" storeLocation="LocalMachine" x509FindType="FindBySerialNumber" storeName="My" />
          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <basicHttpsBinding>
        <binding name="basicHttpsEndpointBinding" maxReceivedMessageSize="1073741824" maxBufferSize="1073741824" maxBufferPoolSize="1073741824">
          <readerQuotas maxDepth="32" maxArrayLength="1073741824" maxStringContentLength="1073741824" />
          <security mode="Transport">
            <transport clientCredentialType="Ntlm" />
          </security>
        </binding>
      </basicHttpsBinding>
    </bindings>
    <services>
      <service name="WCF.MyService" behaviorConfiguration="authBehavior">
        <endpoint address="" binding="basicHttpsBinding" bindingConfiguration="basicHttpsEndpointBinding" contract="WCF.IMyService">
          <identity>
            <dns value="example.com" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>

ASP.NET Core 客户端:

BasicHttpsBinding binding = new BasicHttpsBinding
   
        MaxBufferPoolSize = 1073741824,
        MaxBufferSize = 1073741824,
        MaxReceivedMessageSize = 1073741824
   ;
   binding.ReaderQuotas.MaxDepth = 32;
   binding.ReaderQuotas.MaxArrayLength = 1073741824;
   binding.ReaderQuotas.MaxStringContentLength = 1073741824;
   binding.Security.Mode = BasicHttpsSecurityMode.Transport;
   binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

   MyServiceClient client = new MyServiceClient(binding, new EndpointAddress(new Uri("https://example.com/MyService.svc"), new DnsEndpointIdentity("mydomain.com")));
   client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

   client.ClientCredentials.Windows.ClientCredential.Domain = Configuration.GetSection("WCF")["MyServiceDomain"];
   client.ClientCredentials.Windows.ClientCredential.UserName = Configuration.GetSection("WCF")["MyServiceUserName"];
   client.ClientCredentials.Windows.ClientCredential.Password = Configuration.GetSection("WCF")["MyServicePassword"];

   // client call

我想不出什么是错的。如果我在配置/代码中将 Ntlm 更改为 Windows,则客户端身份验证方案“协商”会出错。我是否可以同时使用两者,或者我必须以某种方式从 IIS 中删除 Negotiate/Ntlm?

感谢您的任何想法!

解决方案!

方法一来自https://blogs.msdn.microsoft.com/distributedservices/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-authentication-error/文章

需要重启服务器!

【问题讨论】:

您可能会发现this post 很有见地。 好吧,如果另一个项目已经编写并且它可以在 localhost 但不能在服务器上运行,那就太糟糕了:D 无论如何我通过阅读文章解决了问题:blogs.msdn.microsoft.com/distributedservices/2009/11/10/… 这解决了我的问题 将解决方案发布为答案并接受。 当然.. 我只需要等待 2 天就可以接受它:D 【参考方案1】:

我发现这篇文章为我的问题提供了解决方案

文章:https://blogs.msdn.microsoft.com/distributedservices/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-authentication-error/

使用方法一,需要重启服务器!

在注册表中我使用 CNAME 之类的

mySubdomain
mySubdomain.myDomain.com
localhost
192.168.0.xxx
192.168.0.1 (default gateway)
xx.xx.xx.xx (my ip address)

【讨论】:

以上是关于.NET Core 上的 WCF 在授权方案中缺少客户端协商方案的主要内容,如果未能解决你的问题,请参考以下文章

使用 WCF 的 Http 请求中缺少授权标头

.Net Core 中的 WCF 替换

.Net Core 1.1 上的 OData v4 缺少 /$metadata

忽略 ASP.NET Core 3.1 中的 WCF 证书错误

在 ASP .net core 2.1 中使用 WCF 或 Reporting Services 和 AlanJuden MvcReportViewer 的超时问题

ASP.NET Core认证授权方案