HTTP 请求未经客户端身份验证方案“Ntlm”授权
[英]The HTTP request is unauthorized with client authentication scheme 'Ntlm'
问题描述
While calling a web service I get the following error:
在调用 Web 服务时,我收到以下错误:
The HTTP request is unauthorized with client authentication scheme 'NTLM'.
I have a Silverlight 4 application that calls a WCF web service, both on my IIS (7).我有一个 Silverlight 4 应用程序,它在我的 IIS (7) 上调用 WCF Web 服务。 my WCF web service calls another ASMX web service, installed on a different web server, using NTLM (Windows Authentication).我的 WCF Web 服务使用 NTLM(Windows 身份验证)调用另一个安装在不同 Web 服务器上的 ASMX Web 服务。 Both servers, mine and the one hosting the ASMX web service are in the same domain.我的服务器和托管 ASMX Web 服务的服务器都在同一个域中。
When the Silverlight client opens the application from the server using http://localhost/MySiteName everything works fine.当 Silverlight 客户端使用http://localhost/MySiteName从服务器打开应用程序时,一切正常。 But when the Silverlight client opens the application from a different client, which is not the server but still in the same domain, using http://MyServerName/MySiteName then I get the error.但是,当 Silverlight 客户端从不同的客户端(不是服务器但仍在同一域中)使用http://MyServerName/MySiteName打开应用程序时,我收到错误消息。
Windows Authentication is enabled in my IIS.我的 IIS 中启用了 Windows 身份验证。 Anonymous Authentication is disabled in my IIS.我的 IIS 中禁用了匿名身份验证。
Binding configuration for calling my WCF web service is:调用我的 WCF Web 服务的绑定配置是:
<binding name="winAuthBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
Binding configuration for calling the ASMX web service is:调用ASMX web服务的绑定配置为:
<binding name="ClNtlmBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
7 个解决方案
解决方案1
20 已采纳 2011-02-07 10:09:48
OK, here are the things that come into mind:好的,以下是想到的事情:
- Your WCF service presumably running on IIS must be running under the security context that has the privilege that calls the Web Service.您可能在 IIS 上运行的 WCF 服务必须在具有调用 Web 服务的特权的安全上下文下运行。 You need to make sure in the app pool with a user that is a domain user - ideally a dedicated user.您需要确保应用程序池中的用户是域用户 - 最好是专用用户。
- You can not use impersonation to use user's security token to pass back to ASMX using impersonation since
my WCF web service calls another ASMX web service, installed on a **different** web server您不能使用模拟来使用用户的安全令牌通过模拟传递回 ASMX,因为my WCF web service calls another ASMX web service, installed on a **different** web server - Try changing
NtlmtoWindowsand test again.尝试将Ntlm更改为Windows并再次测试。
OK, a few words on impersonation.好的,关于模拟的几句话。 Basically it is a known issue that you cannot use the impersonation tokens that you got to one server, to pass to another server.基本上这是一个已知问题,您不能使用到达一台服务器的模拟令牌传递到另一台服务器。 The reason seems to be that the token is a kind of a hash using user's password and valid for the machine generated from so it cannot be used from the middle server.原因似乎是令牌是一种使用用户密码的散列,对生成的机器有效,因此不能从中间服务器使用。
UPDATE更新
Delegation is possible under WCF (ie forwarding impersonation from a server to another server).在 WCF 下可以进行委派(即将模拟从一个服务器转发到另一个服务器)。 Look at this topic here .在此处查看此主题。
解决方案2
8 2012-01-19 15:25:43
It's a long time since the question was posted, but I experienced the same issue in a similar scenario.问题发布已经很长时间了,但我在类似的情况下遇到了同样的问题。 I have a console application and I was consuming a web service and our IIS server where the webservice was placed has windows authentication (NTLM) enabled.我有一个控制台应用程序,我正在使用一个 Web 服务,而放置 Web 服务的 IIS 服务器启用了 Windows 身份验证 (NTLM)。
I followed this link and that fixed my problem.我按照这个链接解决了我的问题。 Here's the sample code for App.config :这是App.config的示例代码:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="Service1Soap">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None"
realm=""/>
<message clientCredentialType="UserName" algorithmSuite="Default"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/servicename/service1.asmx"
binding="basicHttpBinding" bindingConfiguration="ListsSoap"/>
</client>
</system.serviceModel>
解决方案3
5 2016-06-29 20:01:04
For me the solution was besides using "Ntlm" as credential type, similar as Jeroen K's solution.对我来说,解决方案除了使用“Ntlm”作为凭证类型之外,类似于 Jeroen K 的解决方案。 If I had the permission level I would plus on his post, but let me post my whole code here, which will support both Windows and other credential types like basic auth:如果我有权限级别,我会在他的帖子上加上,但让我在这里发布我的整个代码,它将支持 Windows 和其他凭据类型,如基本身份验证:
XxxSoapClient xxxClient = new XxxSoapClient();
ApplyCredentials(userName, password, xxxClient.ClientCredentials);
private static void ApplyCredentials(string userName, string password, ClientCredentials clientCredentials)
{
clientCredentials.UserName.UserName = userName;
clientCredentials.UserName.Password = password;
clientCredentials.Windows.ClientCredential.UserName = userName;
clientCredentials.Windows.ClientCredential.Password = password;
clientCredentials.Windows.AllowNtlm = true;
clientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
}
解决方案4
4 2016-03-01 10:14:09
I had to move domain, username, password from我不得不从
client.ClientCredentials.UserName.UserName = domain + "\\\\" + username;
to到
client.ClientCredentials.Windows.ClientCredential.UserName = username;
解决方案5
0 2012-08-10 07:49:09
1) I had to do the following with my configuration: (Add BackConnectionHostNames or Disable Loopback Check) http://support.microsoft.com/kb/896861 1)我必须对我的配置执行以下操作:(添加 BackConnectionHostNames 或禁用环回检查) http://support.microsoft.com/kb/896861
2) I was working off a dev system on an isolated dev network. 2)我正在一个孤立的开发网络上开发一个开发系统。 I had gotten it working using the dev system's computer name in the URL to the web service, but when I modified the URL to the URL that would be used in production (rather than the computer name), I started getting the NTLM error.我已经在 Web 服务的 URL 中使用开发系统的计算机名称使其工作,但是当我将 URL 修改为将在生产中使用的 URL(而不是计算机名称)时,我开始收到 NTLM 错误。
3) I noticed the security log showed that the service account failing to login with an error similar to the one in the MSDN article. 3)我注意到安全日志显示服务帐户无法登录,错误类似于MSDN文章中的错误。
4) Adding the BackConnectionHostNames made it so I could log into the server via a browser running on the server, but the service account still had NTLM errors when trying to authenticate for the web services. 4) 添加 BackConnectionHostNames 使我可以通过在服务器上运行的浏览器登录到服务器,但在尝试对 Web 服务进行身份验证时,服务帐户仍然出现 NTLM 错误。 I wound up disabling the loop back check and that fixed it for me.我最终禁用了环回检查并为我修复了它。
解决方案6
0 2013-01-09 07:25:40
Maybe you can refer to : http://msdn.microsoft.com/en-us/library/ms731364.aspx My solution is to change 2 properties authenticationScheme and proxyAuthenticationScheme to "Ntlm", and then it works.也许您可以参考: http : //msdn.microsoft.com/en-us/library/ms731364.aspx我的解决方案是将 2 个属性 authenticationScheme 和 proxyAuthenticationScheme 更改为“Ntlm”,然后它就可以工作了。
PS: My environment is as follow - Server side: .net 2.0 ASMX - Client side: .net 4 PS:我的环境如下 - 服务器端:.net 2.0 ASMX - 客户端:.net 4
解决方案7
0 2020-03-30 08:27:24
My problem was;我的问题是; None admin users were getting "the http request is unauthorized with client authentication scheme 'negotiate' asmx" on my asmx services.没有管理员用户在我的 asmx 服务上收到“http 请求未经客户端身份验证方案‘协商’asmx 授权”。
I gived read/execute folder permissions for the none admin users and my problem was solved.我为非管理员用户提供了读取/执行文件夹权限,我的问题解决了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.