WCF + NTLM身份验证和负载平衡问题

Question

Once again attempting to get my WCF service working in our load balanced environment and I've been hopeful. I've moved on to using a <customBinding> since it appears that the recommendation is to set the keepAliveEnabled directive.

That said, I am having a problem setting up Windows authentication on the server side since the <customBinding> does not seem to function in the same way.

The server side looks like this:

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
  <customBinding>
    <binding name="HttpBinding" closeTimeout="00:00:45">
      <textMessageEncoding>
        <readerQuotas maxStringContentLength="200000" maxArrayLength="200000" />
      </textMessageEncoding>
      <httpTransport keepAliveEnabled="false" maxReceivedMessageSize="200000" authenticationScheme="Negotiate"/>
    </binding>
  </customBinding>
</bindings>
<services>
    <endpoint address="http://svcserv/Services/ReportService/Reports.svc" binding="customBinding"
              bindingConfiguration="HttpBinding" contract="ReportService.IReports" >
    </endpoint>
    <endpoint address="mex" binding="customBinding" bindingConfiguration="HttpBinding" contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ReportService.ReportsBehavior">
      <serviceMetadata httpGetEnabled="true"  />
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
</system.serviceModel>

The client side looks like this:

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
  <basicHttpBinding>
    <binding name="CustomBinding_IReports" maxReceivedMessageSize="200000">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<client>
  <endpoint name="CustomBinding_IReports" address="http://omsnetdev/Services/ReportService/Reports.svc"
            binding="basicHttpBinding" bindingConfiguration="CustomBinding_IReports" contract="ReportService.IReports">
    <identity>
      <servicePrincipalName value="host/svcserv"/>
      <dns value="svcserv"/>
    </identity>
  </endpoint>
</client>
</system.serviceModel>

If I leave the authenticationScheme set to "Negotiate" then I receive something along the lines of either SOAP header Action was not understood. or, at one point, Client found response content type of '', but expected 'application/soap+xml'. If I change the authenticationScheme to "Ntlm" then I receive Exception: The request failed with HTTP status 401: Unauthorized. but I believe this is due to the negotiation failing ( due to the SPN value? ) so it falls back to "Ntlm" and fails.

I would write this off as a configuration on the IIS server but I have verified the settings.

Answer 1

I belief this is not only WCF problem but a conceptual model. You want to make completely stateless scenario but in the same time you need stateful handling of authentication because NTLM (and no other transport level authentication) is performed within single request response.

Here is short description how the handshake works:

      Client                                                Server
-----------------------------------------------------------------------------------------
Send initial request ---------------------------->
                     <----------------------------  Returns 401 with WWW-Authenticate 
                                                    header demanding NTLM
Sends empty request  ---------------------------->  
with Authorization                                
header with initial 
token                                    
                     <----------------------------  Returns 401 with WWW-Authenticate 
                                                    header containing some server token
Sends request with   ---------------------------->  
Authorization header                                
with final token                                    
                     <----------------------------  Returns 200 and expected response

This handshake must be performed with single load balanced server but once you turn off persistent HTTP connections you will force your client to open new TCP connection for each call and each call is load balanced separately. That will most probably ends with these calls passed to different servers => authentication failed. In short you need either:

• Higher level load balancing operating on top of HTTP (authentication will be done with load balancer) and calls to service will be anonymous
• Another authentication technique passing credentials in message
• Persistent connections to force request routing to correct server. If you are hosting services in IIS you can reduce keep alive interval to few seconds and hope that this will improve load balancing effectivity

Answer 2

If you have a problem related to the SPN, please see this answer: SO WCF-Security-Problem question

The only issue you should have with the load balancer is whether you need your session to remain "sticky" to one host. For a given session the load balancer should be able to do this for you if you configure it correctly.

Note that windows server has a fallback mode that does not use SSPI if you have the server and client on the same machine. This lets you get burnt when you move from test to prod.