HTTP请求未经授权使用客户端身份验证方案'Ntlm'。 从服务器收到的身份验证标头是“Negotiate,NTLM”
[英]The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'
问题描述
I've looked through a ton of SO articles, and even other sites, but can't seem to get this service working. 
我查看了大量的SO文章,甚至是其他网站,但似乎无法使这项服务正常运行。 I have a SOAP service I'm trying to hit and it's configured like this: 我有一个我想要点击的SOAP服务,它的配置如下:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="PROVIDERSSoapBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://xxx.xx.xx.xxx:9011/provider/services/PROVIDERS"
binding="basicHttpBinding" bindingConfiguration="PROVIDERSSoapBinding"
contract="ServiceReference1.ProviderRemote" name="PROVIDERS" />
</client>
</system.serviceModel>
However, I'm getting the following error when hitting it from my console application: 但是,从我的控制台应用程序中点击它时出现以下错误:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
Can somebody help me out? 有人可以帮帮我吗?
6 个解决方案
解决方案1
10 2012-12-04 14:40:38
Try setting 'clientCredentialType' to 'Windows' instead of 'Ntlm'. 尝试将'clientCredentialType'设置为'Windows'而不是'Ntlm'。
I think that this is what the server is expecting - ie when it says the server expects "Negotiate,NTLM", that actually means Windows Auth, where it will try to use Kerberos if available, or fall back to NTLM if not (hence the 'negotiate') 我认为这是服务器所期望的 - 即当它说服务器期望“Negotiate,NTLM”时,实际上意味着Windows Auth,它将尝试使用Kerberos(如果可用),或者如果没有则返回NTLM(因此'谈判')
I'm basing this on somewhat reading between the lines of: Selecting a Credential Type 我的基础是在以下几行之间进行阅读: 选择凭证类型
解决方案2
8 已采纳 2012-12-05 17:57:57
You can eliminate the client from the problem by using wftech , this is an old tool but I have found it useful in diagnosing authentication issues. 您可以使用wftech消除客户端问题,这是一个旧工具,但我发现它在诊断身份验证问题时很有用。 wfetch allows you to specify NTLM, Negotiate and kerberos, this may well help you better understand your problem. wfetch允许您指定NTLM,Negotiate和kerberos,这可能会帮助您更好地理解您的问题。 As you are trying to call a service and wfetch knows nothing about WCF, I would suggest applying your endpoint binding (PROVIDERSSoapBinding) to the serviceMetadata then you can do an HTTP GET of the WSDL for the service with the same security settings. 当您尝试调用服务并且wfetch对WCF一无所知时,我建议将端点绑定(PROVIDERSSoapBinding)应用于serviceMetadata,然后您可以使用相同的安全设置对服务执行WSDL的HTTP GET。
Another option, which may be available to you is to force the server to use NTLM, you can do this by either editing the metabase (IIS 6) and removing the Negotiate setting, more details at http://support.microsoft.com/kb/215383 . 您可以使用的另一个选项是强制服务器使用NTLM,您可以通过编辑元数据库(IIS 6)和删除Negotiate设置来执行此操作,有关详细信息,请访问http://support.microsoft.com/ kb / 215383 。
If you are using IIS 7.x then the approach is slightly different, details of how to configure the authentication providers are here http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication . 如果您使用的是IIS 7.x,那么方法略有不同,有关如何配置身份验证提供程序的详细信息,请访问http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication 。
I notice that you have blocked out the server address with xxx.xx.xx.xxx, so I'm guessing that this is an IP address rather than a server name, this may cause issues with authentication, so if possible try targeting the machine name. 我注意到你用xxx.xx.xx.xxx阻止了服务器地址,所以我猜这是一个IP地址而不是服务器名称,这可能会导致身份验证问题,所以如果可能的话尝试瞄准机器名称。
Sorry that I haven't given you the answer but rather pointers for getting closer to the issue, but I hope it helps. 对不起,我没有给你答案,而是提出了更接近问题的指示,但我希望它有所帮助。
I'll finish by saying that I have experienced this same issue and my only recourse was to use Kerberos rather than NTLM, don't forget you'll need to register an SPN for the service if you do go down this route. 我最后说我经历过同样的问题而且我唯一的办法是使用Kerberos而不是NTLM,不要忘记如果你沿着这条路走下去,你需要为服务注册一个SPN。
解决方案3
4 2014-02-17 20:29:47
We encountered this issue and discovered that the error was being thrown when using (IE in our case) the browser logged in as the process account, then changing the session log in through the application (SharePoint). 我们遇到了这个问题,发现在使用(在我们的情况下是IE)浏览器作为进程帐户登录时,然后通过应用程序(SharePoint)更改会话登录时,会抛出错误。 I believe this scenario passes two authentication schemes: 我相信这种情况通过两种认证方案:
- Negotiate 谈判
- NTLM NTLM
The application hosted an *.asmx web service, that was being called on a load balanced server, initiating a web service call to itself using a WCF-like .NET3.5 binding. 该应用程序托管了一个* .asmx Web服务,该服务在负载平衡服务器上调用,使用类似WCF的.NET3.5绑定启动对自身的Web服务调用。
Code that was used to call the web service: 用于调用Web服务的代码:
public class WebServiceClient<T> : IDisposable
{
private readonly T _channel;
private readonly IClientChannel _clientChannel;
public WebServiceClient(string url)
: this(url, null)
{
}
/// <summary>
/// Use action to change some of the connection properties before creating the channel
/// </summary>
public WebServiceClient(string url,
Action<CustomBinding, HttpTransportBindingElement, EndpointAddress, ChannelFactory> init)
{
var binding = new CustomBinding();
binding.Elements.Add(
new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
var transport = url.StartsWith("https", StringComparison.InvariantCultureIgnoreCase)
? new HttpsTransportBindingElement()
: new HttpTransportBindingElement();
transport.AuthenticationScheme = System.Net.AuthenticationSchemes.Ntlm;
binding.Elements.Add(transport);
var address = new EndpointAddress(url);
var factory = new ChannelFactory<T>(binding, address);
factory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
if (init != null)
{
init(binding, transport, address, factory);
}
this._clientChannel = (IClientChannel)factory.CreateChannel();
this._channel = (T)this._clientChannel;
}
/// <summary>
/// Use this property to call service methods
/// </summary>
public T Channel
{
get { return this._channel; }
}
/// <summary>
/// Use this porperty when working with
/// Session or Cookies
/// </summary>
public IClientChannel ClientChannel
{
get { return this._clientChannel; }
}
public void Dispose()
{
this._clientChannel.Dispose();
}
}
We discovered that if the session credential was the same as the browser's process account, then just NTLM was used and the call was successful. 我们发现如果会话凭证与浏览器的进程帐户相同,那么只使用NTLM并且调用成功。 Otherwise it would result in this captured exception: 否则会导致此捕获的异常:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
In the end, I am fairly certain that one of the authentication schemes would pass authentication while the other wouldn't, because it was not granted appropriate access. 最后,我相当确定其中一种身份验证方案将通过身份验证而另一种身份验证方案不会,因为它未被授予适当的访问权限。
解决方案4
3 2016-03-24 18:13:47
If both your client and service is installed on the same machine , and you are facing this problem with the correct (read: tried and tested elsewhere) client and service configurations , then this might be worth checking. 如果您的客户端和服务都安装在同一台计算机上 ,并且您在使用正确的(读取:在其他地方尝试过并尝试过)客户端和服务配置时遇到此问题,那么这可能值得检查。
Check host entries in your host file 检查主机文件中的主机条目
%windir%/system32/drivers/etc/hosts
Check to see if you are accessing your web service with a hostname, and that same hostname has been associated with an IP address in the hosts file mentioned above. 检查您是否使用主机名访问Web服务,并且该主机名与上述hosts文件中的IP地址相关联。 If yes, NTLM/Windows credentials will NOT be passed from the client to the service as any request for that hostname will be routed again at the machine level. 如果是,则NTLM / Windows凭据将不会从客户端传递到服务,因为对该主机名的任何请求将在计算机级别再次路由。
Try either of the following 请尝试以下任一操作
- Remove the host entry of that hostname from the hosts file 从hosts文件中删除该主机名的主机条目
OR
- If removing host entry is not possible, then try accessing your service with another hostname. 如果无法删除主机条目,请尝试使用其他主机名访问您的服务。 You might also try with IP address instead of hostname 您也可以尝试使用IP地址而不是主机名
要么
Edit: Somehow the above situation is relevant on a load-balanced scenario. 编辑:不知何故,上述情况与负载均衡的情况有关。 However, if removing the host entries is not possible, then disabling loop back check on the machine will help. 但是,如果无法删除主机条目,则禁用机器上的环回检查将有所帮助。 Refer method 2 in the article https://support.microsoft.com/en-us/kb/896861 请参阅文章https://support.microsoft.com/en-us/kb/896861中的方法2
解决方案5
2 2015-03-18 15:50:54
You need to set the NTAuthenticationProviders to NTLM 您需要将NTAuthenticationProviders设置为NTLM
MSDN Article: https://msdn.microsoft.com/en-us/library/ee248703(VS.90).aspx MSDN文章: https : //msdn.microsoft.com/en-us/library/ee248703(VS.90).aspx
IIS Command-line ( http://msdn.microsoft.com/en-us/library/ms525006(v=vs.90).aspx ): IIS命令行( http://msdn.microsoft.com/en-us/library/ms525006(v=vs.90).aspx ):
cscript adsutil.vbs set w3svc/WebSiteValueData/root/NTAuthenticationProviders "NTLM"
解决方案6
1 2018-12-17 09:28:59
I know this question is old, but the solution to my application, was different to the already suggested answers. 我知道这个问题很老,但我的应用程序的解决方案与已经提出的答案不同。 If anyone else like me still have this issue, and none of the above answers works, this might be the problem: 如果像我这样的其他人仍然有这个问题,并且上述答案都不起作用,这可能是问题所在:
I used a Network Credentials object to parse a windows username+password to a third party SOAP webservice. 我使用Network Credentials对象将Windows用户名+密码解析为第三方SOAP Web服务。 I had set the username="domainname\\username", password="password" and domain="domainname". 我设置了username =“domainname \\ username”,password =“password”和domain =“domainname”。 Now this game me that strange Ntlm and not NTLM error. 现在这个游戏我奇怪的Ntlm而不是NTLM错误。 To solve the problems, make sure not to use the domain parameter on the NetworkCredentials object if the domain name is included in the username with the backslash. 要解决这些问题,请确保如果域名包含在带有反斜杠的用户名中,则不要在NetworkCredentials对象上使用domain参数。 So either remove domain name from the username and parse in domain parameter, or leave out the domain parameter. 因此,要么从用户名中删除域名,要么在域参数中解析,要么省略域参数。 This solved my issue. 这解决了我的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.