部署后 WCF Windows 身份验证不起作用

Question

我有带有 Windows 身份验证的 WCF 服务。将其部署到另一台服务器后，我收到以下异常：

System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized

客户端配置没有改变，如下所示：

<ws2007HttpBinding>
  <binding name="autoSecureBinding">
    <security mode="TransportWithMessageCredential">
      <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""></transport>
      <message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="false"/>
    </security>
  </binding>
</ws2007HttpBinding>

编辑：当我在浏览器中打开我的服务时，我收到以下错误：

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

有人知道可能是什么问题吗？

Answer 1

同一活动目录域下是否有另一台服务器？

您还想转到目标 IIS 并查看站点/应用程序身份验证设置是否将“Windows 身份验证”设置为“启用”。 （请参阅下面的 IIS7 屏幕）

Answer 2

这是我正在使用的 Win auth only WCF 服务的工作 web.config（仅在 IIS 中启用 Windows 身份验证）。

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
    </system.web>
    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior>
                    <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                    <serviceMetadata httpGetEnabled="true" />
                    <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                    <serviceDebug includeExceptionDetailInFaults="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
        <bindings>
            <basicHttpBinding>
                <binding name="MyBindingForWindowsAuth">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Ntlm" />
                        <!--<transport clientCredentialType="Windows" />-->
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <services>
            <service name="DataAccessService.Service">
                <endpoint address="" binding="basicHttpBinding" bindingConfiguration="MyBindingForWindowsAuth" contract="DataAccessService.IService" />
                <endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="MyBindingForWindowsAuth" contract="IMetadataExchange" />
            </service>
        </services>
    </system.serviceModel>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
        <directoryBrowse enabled="true" />
    </system.webServer>
</configuration>

有了这个设置，如果你想将 ASP.NET 用户身份传递给 WCF，你有 3 个选项：

选项1：

client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("phil.morris", "P4ssW0rd", "mydomain");

选项2：

使用模拟：

using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
    string s = client.GetUserInfo();
    retVal = "Wcf User: " + s;
}

选项 3：
在调用方 ASP.NET 应用程序中启用 ASP.NET 模拟