WCF自托管:匿名身份验证方案禁止使用HTTP请求
[英]WCF self-hosted: http request forbidden for authentication scheme anonymous
问题描述
Situation: 
情况:
We installed a self-hosted WCF Service on a new Windows Server 2016 Machine (machine X). 我们在新的Windows Server 2016计算机(计算机X)上安装了自托管WCF服务。 This service makes a call to a Tibco BW webservice on a different Windows Server 2016 machine (machine Y). 此服务在另一台Windows Server 2016计算机(计算机Y)上调用Tibco BW Web服务。
When the WCF service is run with user A (part of built-in Adminstrators) all requests are processed successfully. 当WCF服务与用户A(内置管理员的一部分)一起运行时,所有请求都将得到成功处理。 When the service is run as user B (service user) we receive the following message: "http request forbidden for authentication scheme anonymous" 当服务以用户B(服务用户)的身份运行时,我们收到以下消息:“禁止匿名身份验证方案的HTTP请求”
Both services run under basicHtttpBinding. 两种服务都在basicHtttpBinding下运行。
We were able to do the same installation on a different windows server 2016 environment with different users sucessfully. 我们能够与不同的用户成功地在不同的Windows Server 2016环境中进行相同的安装。
Steps taken so far: 到目前为止已采取的步骤:
- We compared the packages that are sent when the service is run with user A and with user B and found out that when the service is run with user B no package will reach machine Y. 我们比较了与用户A和用户B一起运行服务时发送的程序包,发现与用户B一起运行服务时没有程序包到达计算机Y。
- We disabled the Windows Firewall on both machine but this did not change the behaviour. 我们在两台计算机上都禁用了Windows防火墙,但这并没有改变行为。
- We compared the rights and policies of user A and B via gpresult but could not see any difference regarding network access or http related policies. 我们通过gpresult比较了用户A和B的权限和策略,但看不到有关网络访问或与http相关的策略的任何区别。
Our Speculation 我们的推测
We suspect that User B is missing somekind of privilege to make http requests like User A is able to do. 我们怀疑用户B缺少某种类似于用户A能够发出http请求的特权。
Questions 问题
- Is there a group policy that governs this kind of behaviour? 是否存在管理此类行为的组策略?
- What settings could prevent a User from sending these requests? 哪些设置可能阻止用户发送这些请求?
- Why do we get this error message despite not using any security settings? 尽管未使用任何安全设置,为什么还会收到此错误消息?
Thank you 谢谢
1 个解决方案
解决方案1
0 已采纳 2018-09-17 15:55:44
We did a wireshark analysis and found out that there was still a policy in place that required the service account to redirect all traffic over a proxy server. 我们进行了wireshark分析,发现仍然有一项策略要求服务帐户重定向代理服务器上的所有流量。 This proxy most likley had no idea how to handle WCF traffic and all requests resulted in the error message we observed. 大多数likley都不知道该代理如何处理WCF流量,所有请求均导致我们观察到错误消息。
Once we altered the policy to allow prevent the service user from using the proxy, the requests went trough as expected and as observed with the other administrator users. 一旦我们更改了策略以允许阻止服务用户使用代理,请求就会按照预期并与其他管理员用户一起观察到。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.