我在这里遇到一个奇怪的情况。我知道了,但是我不明白为什么。
情况如下:
我的应用程序(网站)必须调用WCF服务。 WCF服务公开netTcpBinding,并且需要传输安全性(Windows)。
客户端和服务器位于同一域中,但位于不同的服务器上。
因此,生成客户端会导致以下配置(通常是默认设置)
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="MyTcpEndpoint" ...>
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint"/>
</client>
</system.serviceModel>
当我运行网站并调用该服务时,出现以下错误:
System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
--- End of inner exception stack trace ---
at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradeAsyncResult.OnCompleteAuthenticateAsClient(IAsyncResult result)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorAsyncResult.CompleteAuthenticateAsClient(IAsyncResult result)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
....
现在,如果我像这样改变客户端的配置:
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint">
<identity>
<dns />
</identity>
</endpoint>
一切正常,我的服务器高兴地报告它是由托管我的网站的AppPool的服务帐户调用的。都好。
我现在的问题是:为什么这样做有效?这是做什么的?我只是通过反复试验就获得了这种解决方案。在我看来,
<dns />标记所做的所有事情都是告诉客户端使用默认DNS进行身份验证,但是无论如何,它不是这样做吗?更新
因此,经过更多研究和反复试验,我仍然没有找到解决该问题的方法。
在某些情况下,如果我不提供
<dns />,则会收到Credentials rejected错误,但如果我提供<dns value="whatever"/>配置,它将可以正常工作。为什么?
最佳答案
<dns/>标记允许客户端验证服务器身份。例如,如果您说了<dns value="google.com"/>,它将验证WCF服务器提供google.com身份。既然您说了<dns/>,它可能只允许所有人为您服务。
有关更多信息,请访问Service Identity and Authentication
关于wcf - WCF客户端端点:不带<dns>的SecurityNegotiationException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/2781683/