[英]The HTTP request was forbidden with client authentication scheme 'Anonymous'. The remote server returned an error: (403) Forbidden
[英]Getting 403 Forbidden error. The HTTP request was forbidden with client authentication scheme 'Anonymous'
我遇到的這個問題並未在所有訪問我們服務的客戶端上發生,但是一致的是,當確實發生錯誤時,它在少數客戶端的同一服務調用上發生。
以下是例外的詳細信息:
System.ServiceModel.Security.MessageSecurityException客戶端身份驗證方案“匿名”禁止了HTTP請求。 System.ServiceModel.Security.MessageSecurityException:客戶端身份驗證方案“匿名”禁止使用HTTP請求。 > ---> System.Net.WebException:遠程服務器返回錯誤:(403)禁止。 在System.Net.HttpWebRequest.GetResponse()在System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)-內部異常堆棧跟蹤結束-服務器堆棧跟蹤:在System.ServiceModel.Security .IssuanceTokenProviderBase
1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory
1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory
1.ClientSecurityChannel1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings
.System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan超時)處的System.ServiceModel.Channels.Services.Service.OnOpen(TimeSpan處1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings
ClientSecuritySessionChannel.OnOpen(TimeSpan超時)超時)
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan超時)處System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel通道,TimeSpan超時)處於System.ServiceModel.Channels處。 System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan超時)在System.ServiceModel.Channels.ServiceChannel.Call處的ServiceChannel.CallOnceManager.CallOnce(TimeSpan超時,CallOnceManager級聯)(字符串操作,布爾型單向,ProxyOperationRuntime操作,Object [] ins ,在System.ServiceModel.Channels.ServiceChannel.Call(String action,Boolean oneway,ProxyOperationRuntime operation,Object [] ins,Object [] outs)在System.ServiceModel.Channels.ServiceChannel.Call(System.ServiceModel.Channels.ServiceChannelProxy.InvokeService( System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage消息)上的IMethodCallMessage方法調用,ProxyOperationRuntime操作(IMessage消息)在[0]處引發了異常:System.Runtime.Remoting.Pr Proxy.FileTransferService.IFileTransferService.EstablishProxy( DownloadRequest請求)上的oxies.RealProxy.HandleReturnMessage(IMessage reqMsg,IMessage retMsg)位於System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&msgData,Int32類型) 。 LoggingFileTransferServiceClient.Download(Int32 packageId,ISt)上的NormalFileTransferServiceClient.Download(Int32 packageId,IStreamWriter下載器,存檔器存檔器)上的Proxy.FileTransferService.IFileTransferService.EstablishProxy(DownloadRequest請求)
客戶端會拋出該異常。
IFileTransferService的客戶端代理配置為:
<binding name="WSHttpBinding_IFileTransferService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
<endpoint address="http://[hostname]/FileTransferService.svc/FileTransfer"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IFileTransferService"
contract="Proxy.FileTransferService.IFileTransferService"
name="WSHttpBinding_IFileTransferService">
<identity>
<certificate encodedValue="a long string"/>
</identity>
</endpoint>
服務配置是
<service behaviorConfiguration="ServiceBehavior"
name="Services.FileTransferService">
<endpoint name="WSHttpBinding_IFileTransferService"
binding="wsHttpBinding"
bindingConfiguration="MtomWSHttpBinding"
contract="Services.IFileTransferService"
address="/FileTransfer"/>
<endpoint binding="basicHttpBinding"
bindingConfiguration="FileTransferServicesBinding"
contract="Services.IFileTransferService"/>
<host>
<baseAddresses>
<add baseAddress="http://[hostname]/FileTransferService.svc"/>
</baseAddresses>
</host>
</service>
<binding name="wsHttpBinding"
maxReceivedMessageSize="2147483647"
receiveTimeout="5"
useDefaultWebProxy="false">
<readerQuotas maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
<basicHttpBinding>
<binding name="FileTransferServicesBinding"
maxReceivedMessageSize="10067108864"
messageEncoding="Mtom"
transferMode="Streamed"
useDefaultWebProxy="false">
<security mode="None">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
注意:一些客戶端正在使用basicHttpBinding(如果我正確設置了所有內容)。 在客戶端的更高版本中(可能尚未完全分發)(這就是為什么我必須支持2版本),我將代理更改為使用wsHttpBinding端點。 我想知道我收到的此錯誤是否特定於basicHttp,如果是,也許我沒有正確設置這些配置。 我假設正在收到此403錯誤的客戶端正在使用wsHttpBinding。
這是該服務的代碼:
public RemoteBinaryInfo EstablishProxy(DownloadRequest request)
{
int packageId = request.PackageId;
System.IO.MemoryStream stream = new System.IO.MemoryStream(packageRepository.GetPackageBinary(packageId));
DisposeStreamWhenOperationIsComplete(stream, OperationContext.Current);
RemoteBinaryInfo result = new RemoteBinaryInfo();
result.Length = stream.Length;
result.MemoryByteStream = stream;
return result;
}
private static void DisposeStreamWhenOperationIsComplete(System.IO.MemoryStream stream, OperationContext clientContext)
{
clientContext.OperationCompleted += new EventHandler(delegate(object sender, EventArgs args)
{
if (stream != null)
stream.Dispose();
});
}
有誰知道擺脫這種異常是否在我的控制范圍之內? 我可以在客戶端或服務配置文件上進行任何配置更改嗎?
如果您需要我的更多信息,請告訴我。
就我而言,此錯誤是來自我們組織的HTTP代理服務器 。 從以下位置找到它: MessageSecurityException.InnerException.Response.Headers
:
{Mime版本:1.0
X-烏賊錯誤:ERR_ACCESS_DENIED 0
X緩存:<
X緩存查找: <代理服務器地址>中沒有
代理連接:關閉
內容長度:2165
內容類型:text / html
日期:2012年4月25日,星期三10:55:39 GMT
服務器:魷魚/3.0.STABLE25
通過:1.0 <代理服務器地址> (squid / 3.0.STABLE25)
}
在我的情況下,也發生了一種文件傳輸方法,該方法以大小為16384的byte
數組傳輸文件塊。將大小減小為10000時,錯誤已解決。 這意味着代理服務器設置了某種大小限制。
在可直接訪問Internet的計算機上,即使陣列大小> 16384,文件傳輸方法也不會因此錯誤而失敗。
由於只有部分客戶端面臨此問題,因此它們可能位於防火牆/代理服務器的后面,而該防火牆/代理服務器實際上是阻止訪問並返回此錯誤的服務器?
在我看來,接收MessageSecurityException的客戶端未在其請求中提供有效的用戶名/密碼。
請參閱以下msdn主題http://msdn.microsoft.com/en-us/library/ms733131.aspx
因此,您具有使用匿名身份驗證在IIS中配置的Web服務,並且僅少數用戶收到403禁止錯誤。
根據我自己的經驗,這通常是由訪問ACL控制的系統資源(例如文件系統)時拒絕訪問異常引起的。
如果異常連接的每個用戶都沒有被w3wp.exe進程處理(假定為IIS 7),則該進程通常具有應用程序池標識(IIS APPPOOL / AppPoolName),如果該標識未添加到任何必需的訪問控制中,則會列出訪問被拒絕的異常將導致IIS響應403錯誤。
我通常將應用程序池標識添加到組中,然后將該組添加到任何必需的資源中。
如果您無法找出可能導致異常的資源,請嘗試在安全事件日志中查找“審計失敗”條目以獲取線索。 您可能需要配置本地安全策略以記錄安全事件。
祝好運
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.