连接到WCF服务时客户端无法进行身份验证
[英]Client unable to authenticate when connecting to WCF service
问题描述
I have a WCF service hosted in a Windows service. 
我在Windows服务中托管了WCF服务。 The application is an intranet app, and I have programmatically set the bindings on both the service and the client as: 该应用程序是Intranet应用程序,我已通过编程方式将服务和客户端上的绑定设置为:
NetTcpBinding aBinding = new NetTcpBinding(SecurityMode.Transport);
aBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
aBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
Both the service and client have endpoints configured with SPNs: 服务和客户端都具有配置有SPN的端点:
EndpointAddress = new EndpointAddress(uri, EndpointIdentity.CreateSpnIdentity("Service1"));
As far as I know, I have setup the bindings correctly-- and I am usually able to connect to the service just fine. 据我所知,我已经正确设置了绑定-通常我可以正常连接到服务。 I did however run into a case where on a server running Windows Server 2003 R2, x64, SP2 I get the following exception immediately when the client tries to connect: 但是,我确实遇到了这样一种情况:在运行Windows Server 2003 R2,x64,SP2的服务器上,当客户端尝试连接时,我立即收到以下异常:
INNEREXCEPTION -- Exception Message: INNEREXCEPTION-异常消息:
InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. InvalidCredentialException:目标名称不正确或服务器已拒绝客户端凭据。
Stack Trace: 堆栈跟踪:
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
I get the exception when I try to connect to the service from another machine in the domain, but if I connect to the service on the same machine running the service it works fine. 当我尝试从域中的另一台计算机连接到服务时,出现异常,但是如果我在运行该服务的同一台计算机上连接到服务,则可以正常工作。
The hosting service itself is running as a domain user account-- but I have tried running the service as a Local System and Network Service to no avail. 托管服务本身以域用户帐户身份运行-但我尝试将服务作为本地系统和网络服务运行均无济于事。 I have checked the Local Security Policies for the server and didn't see anything amiss (ie 'Access this computer from the network' includes 'Everyone'). 我已经检查了服务器的本地安全策略,但没有发现任何问题(即“从网络访问此计算机”包括“所有人”)。
Anyone have an idea of what could resolve this? 任何人都有什么解决办法的想法?
I am wondering if I need to do something in Active Directory with respect to the service's SPN? 我想知道是否需要在Active Directory中针对服务的SPN做些事情? I have read some about using setspn.exe to register or refresh SPNs, but I haven't needed to do this before. 我已经阅读了一些有关使用setspn.exe来注册或刷新SPN的信息,但是我以前不需要这样做。 Why would this be working with other configurations but not the one above? 为什么这可以与其他配置一起使用,但不能与上面的配置一起使用?
1 个解决方案
解决方案1
0 2010-03-29 04:41:55
尝试以具有本地管理员访问权限的帐户运行该服务-如果您不能在如此大的权限范围内运行该服务,那么我相信您需要使用您所暗示的setpn.exe。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.