HTTP请求未经客户端身份validationscheme“协商”授权。 从服务器收到的validation头是“NTLM”

几天前,我在客户端和wcf web服务之间使用Windows身份validation时遇到了身份validation问题。 我得到的错误是“HTTP请求是未经授权的客户端身份validationscheme”Negotiate“,从服务器接收到的身份validation头是”NTLM“,堆栈上的解决scheme都没有工作,因为大部分解决scheme都与旧方法有关。

Solutions Collecting From Web of "HTTP请求未经客户端身份validationscheme“协商”授权。 从服务器收到的validation头是“NTLM”"

答案:问题是这个问题的所有帖子都与代理证书或AllowNTLM属性帮助的较老的kerberos和IIS问题有关。 我的情况是不同的。 我从几乎所有的地方发现蠕虫之后发现的是,有些IIS安装不包括在IIS Windows身份验证提供程序列表下的协商提供程序。 所以我不得不把它添加并移动。 我的WCF服务开始按预期进行身份验证。 下面是如果您使用匿名身份验证OFF的Windows身份验证应该看起来的屏幕截图。

您需要右键单击Windows身份验证并选择提供程序菜单项。

在这里输入图像说明

希望这有助于节省一些时间。

我已经将WCF的旧版本升级到WCF 4,并希望您也可以做出类似的更改。

1. Web.config:

<system.serviceModel> <bindings> <basicHttpBinding> <binding name="Demo_BasicHttp"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="InheritedFromHost"/> </security> </binding> </basicHttpBinding> </bindings> <services> <service name="DemoServices.CalculatorService.ServiceImplementation.CalculatorService" behaviorConfiguration="Demo_ServiceBehavior"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="Demo_BasicHttp" contract="DemoServices.CalculatorService.ServiceContracts.ICalculatorServiceContract"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="Demo_ServiceBehavior"> <!-- To avoid disclosing metadata information, set the values below to false before deployment --> <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/> <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="false"/> </behavior> </serviceBehaviors> </behaviors> <protocolMapping> <add scheme="http" binding="basicHttpBinding" bindingConfiguration="Demo_BasicHttp"/> </protocolMapping> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" /> </system.serviceModel> 

2. App.config:

  <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_ICalculatorServiceContract" maxBufferSize="2147483647" maxBufferPoolSize="33554432" maxReceivedMessageSize="2147483647" closeTimeout="00:10:00" sendTimeout="00:10:00" receiveTimeout="00:10:00"> <readerQuotas maxArrayLength="2147483647" maxBytesPerRead="4096" /> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="http://localhost:24357/CalculatorService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ICalculatorServiceContract" contract="ICalculatorServiceContract" name="Demo_BasicHttp" /> </client> </system.serviceModel> 

对我来说,解决方案除了使用“Ntlm”作为证书类型:

  XxxSoapClient xxxClient = new XxxSoapClient(); ApplyCredentials(userName, password, xxxClient.ClientCredentials); private static void ApplyCredentials(string userName, string password, ClientCredentials clientCredentials) { clientCredentials.UserName.UserName = userName; clientCredentials.UserName.Password = password; clientCredentials.Windows.ClientCredential.UserName = userName; clientCredentials.Windows.ClientCredential.Password = password; clientCredentials.Windows.AllowNtlm = true; clientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation; } 

对我来说,解决方案是将AppPoolIdentity设置为AppPoolIdentity为NetworkService标识。