部署后，WCF Windows身份验证不起作用

Question

我有Windows身份验证的WCF服务。将其部署到另一台服务器后，我收到以下异常：

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized

客户端配置未更改，如下所示：

<ws2007HttpBinding>
  <binding name="autoSecureBinding">
    <security mode="TransportWithMessageCredential">
      <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""></transport>
      <message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="false"/>
    </security>
  </binding>
</ws2007HttpBinding>

编辑：当我在浏览器中打开我的服务时，收到以下错误：

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

有人知道可能是什么问题吗？

Answer 1

另一台服务器是否在同一个活动目录域下？

此外，您希望转到目标IIS，并查看“站点/应用程序身份验证”设置是否已将“Windows身份验证”设置为“已启用”。 （参见下面IIS7的屏幕）

Answer 2

以下是我正在使用的Win auth only WCF服务的工作web.config（在IIS中仅启用了Windows身份验证）。

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
    </system.web>
    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior>
                    <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                    <serviceMetadata httpGetEnabled="true" />
                    <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                    <serviceDebug includeExceptionDetailInFaults="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
        <bindings>
            <basicHttpBinding>
                <binding name="MyBindingForWindowsAuth">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Ntlm" />
                        <!--<transport clientCredentialType="Windows" />-->
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <services>
            <service name="DataAccessService.Service">
                <endpoint address="" binding="basicHttpBinding" bindingConfiguration="MyBindingForWindowsAuth" contract="DataAccessService.IService" />
                <endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="MyBindingForWindowsAuth" contract="IMetadataExchange" />
            </service>
        </services>
    </system.serviceModel>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
        <directoryBrowse enabled="true" />
    </system.webServer>
</configuration>

有了这个设置，如果你想将ASP.NET用户身份传递给WCF，你有3个选择：

选项1：

client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("phil.morris", "P4ssW0rd", "mydomain");

选项2：

使用模仿：

using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
    string s = client.GetUserInfo();
    retVal = "Wcf User: " + s;
}

选项3：
在调用者ASP.NET应用程序中启用ASP.NET模拟