C#客户端的Apache NTLM Auth不适用于自定义的NetworkCredentials
[英]Apache NTLM Auth from C# client do not work with self defined NetworkCredentials
问题描述
I have a office plugin that connect a service using HttpWebRequest . 
我有一个Office插件,可使用HttpWebRequest连接服务。
Inside a domain I pass CredentialCache.DefaultNetworkCredentials so all is fine. 在域内部,我传递了CredentialCache.DefaultNetworkCredentials所以一切都很好。 Outside a domain a user need to provide username, domain and password. 在域外,用户需要提供用户名,域和密码。 This don't work atm. 这在atm上不起作用。
Some part of the code out of it: 代码的一部分:
CookieContainer cookies = new CookieContainer();
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = WebRequestMethods.Http.Post;
request.AllowAutoRedirect = true;
request.CookieContainer = cookies; // provide session cookie to handle redirects of login controller of the webservice
if (isWindowAuthentication) // isWindowAuthentication is set earlier by config
{
if (Common.UserName.Length > 0)
{
string[] domainuser;
string username;
string domain;
if (Common.UserName.Contains("@"))
{
domainuser = Common.UserName.Split('@');
username = domainuser[0];
domain = domainuser[1];
}
else
{
domainuser = Common.UserName.Split('\\');
username = domainuser[1];
domain = domainuser[0];
}
NetworkCredential nc = new NetworkCredential(username, Common.Password, domain);
CredentialCache cache = new CredentialCache();
cache.Add(request.RequestUri, "NTLM", nc);
request.Credentials = cache;
}
else
{
request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
}
Later on I do the request request.GetResponse(); 稍后我执行请求request.GetResponse(); . 。 If I use CredentialCache.DefaultNetworkCredentials then everything works fine. 如果我使用CredentialCache.DefaultNetworkCredentials则一切正常。 The moment I switch to my own new NetworkCredential() part the authentication fails. 当我切换到自己的new NetworkCredential()部分时,身份验证将失败。
I checked the logs of the Apache (it is Apache 2.2 using SSPI mod). 我检查了Apache的日志(使用SSPI mod的是Apache 2.2)。 When it succeed the first request redirect to the login controller, then the login controller request credentials. 成功后,第一个请求重定向到登录控制器,然后登录控制器请求凭据。 Passed and works (redirect to the target site). 通过且有效(重定向到目标站点)。
Log 1 (works): 日志1(有效):
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "POST /ror/ioi/start?document%5Bguid%5D=%7Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%7D HTTP/1.1" 302 202
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 401 401
192.168.14.9 - - [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 401 401
192.168.14.9 - rausch [25/Oct/2012:11:35:35 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257Be3d8f1de-10f2-4493-a0c0-97c2acb034e6%257D HTTP/1.1" 302 156
The own credential results here Log 2 (do not work): 日志2本身的凭证结果(不起作用):
192.168.14.9 - - [25/Oct/2012:12:05:23 +0200] "POST /ror/ioi/start?document%5Bguid%5D=%7B6ac54e8a-19f1-4ccd-9684-8d864dd9ccf7%7D HTTP/1.1" 302 202
192.168.14.9 - - [25/Oct/2012:12:05:23 +0200] "GET /ror_auth/login?ror_referer=%2Fror%2Fioi%2Fstart%3Fdocument%255Bguid%255D%3D%257B6ac54e8a-19f1-4ccd-9684-8d864dd9ccf7%257D HTTP/1.1" 401 401
What I don't understand is when I inspect eg CredentialCache.DefaultNetworkCredentials.UserName then is is empty. 我不理解的是,当我检查例如CredentialCache.DefaultNetworkCredentials.UserName为空。
Anyone know what to do and how I have to set my own credentials correct that the authentication works as expected? 任何人都知道该怎么办,以及我如何设置自己的凭据才能正确进行身份验证,以确保身份验证正常工作?
1 个解决方案
解决方案1
0 已采纳 2012-10-29 19:23:38
Finally after a lot of testing and investigation and many resources on stack overflow I found out what is going on. 最后,经过大量的测试和调查以及堆栈上的大量资源后,我发现了发生了什么。
The problem seems to be that the httpwebrequest don't handle the authentication when parts of the webseite requests credentials and some don't. 这个问题似乎是该httpwebrequest不办理认证时webseite请求凭证的部分,有些则没有。
Background: 背景:
Our Site has its own session management and redirect to a login controller when no valid session is available. 我们的网站拥有自己的会话管理功能,当没有有效的会话可用时,重定向到登录控制器。 Only this login controller is set to NTLM authentication. 仅此登录控制器设置为NTLM身份验证。
This we made because we have a web site without NTLM auth at all (no 401, 302 request loops in IE!) and only validate once (and we handle authentication on different url to prevent the problem that IE stop posting data at non-authenticated sites => see http://support.microsoft.com/?id=251404 ). 我们这样做是因为我们拥有一个完全不具有NTLM身份验证的网站(IE中没有401、302请求循环!),并且仅进行了一次验证(并且我们在不同的url上进行身份验证,以防止IE停止在未经身份验证的位置发布数据的问题)站点=>参见http://support.microsoft.com/?id=251404 )。
Solution: 解:
I normally sent a request on my target page and the webserver redirect, authenticate and redirect back to the target. 通常,我在目标页面上发送了一个请求,然后Web服务器重定向,验证并重定向回目标。 As the httpwebrequest don't handle this for any reason if I have my own credentials set (see above code of my question) I changed to code to authenticate once to my login controller and store the session in a cookie container. 因为如果我设置了自己的凭据,httpwebrequest出于任何原因都不会处理该问题(请参阅上面的问题代码),所以我更改为对登录控制器进行一次身份验证并将该会话存储在cookie容器中的代码。
For all following request I don't autenticate at all anymore. 对于以下所有请求,我将不再提供任何帮助。 I add the cookie container and my server gets a valid session. 我添加了cookie容器,我的服务器获得了一个有效的会话。 So I don't have to authenticate anymore. 因此,我不再需要进行身份验证。 Sideeffect is better performance this way. 这样副作用是更好的性能。
Another tricky thing was that I not only use httpwebrequest, I also use a webform control. 另一个棘手的事情是,我不仅使用httpwebrequest,而且还使用了Webform控件。 Therefor I found the solution to add my own cookie session here: Use cookies from CookieContainer in WebBrowser (Thanks to Aaron who saved me a lot of trouble as well). 因此,我找到了在此处添加自己的cookie会话的解决方案: 在WebBrowser中使用来自CookieContainer的cookie (感谢Aaron,这也为我省去了很多麻烦)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.