我遇到了一个奇怪的情况。我让它工作了,但我不明白为什么。具体情况如下:
有一个WCF服务,我的应用程序(网站)必须调用它。WCF服务公开netTcpBinding并要求传输安全(Windows)。客户端和服务器在同一个域中,但在不同的服务器上。
因此,生成客户端将导致以下配置(大多数情况下是默认配置)
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="MyTcpEndpoint" ...>
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint"/>
</client>
</system.serviceModel>
当我运行网站并调用服务时,我得到以下错误:
System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed
--- End of inner exception stack trace ---
at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.NegotiateStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.InitiateUpgradeAsyncResult.OnCompleteAuthenticateAsClient(IAsyncResult result)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorAsyncResult.CompleteAuthenticateAsClient(IAsyncResult result)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
....
现在,如果我像这样修改客户端的配置:
<endpoint address="net.tcp://localhost:xxxxx/xxxx/xxx/1.0"
binding="netTcpBinding" bindingConfiguration="MyTcpEndpoint"
contract="Service.IMyService" name="TcpEndpoint">
<identity>
<dns />
</identity>
</endpoint>
一切正常,我的服务器很高兴地报告说,它被托管我网站的AppPool的服务帐户调用。一切都很好。
我现在的问题是:为什么这是可行的?这是做什么的?我仅仅通过反复试验就得到了这个解决方案。对我来说,<dns />
标记所做的一切似乎就是告诉客户端使用默认的DNS进行身份验证,但它不是已经这样做了吗?
更新
因此,经过更多的研究和反复试验,我仍然没有找到这个问题的答案。在某些情况下,如果我不提供<dns />
,我会得到Credentials rejected
错误,但如果我提供<dns value="whatever"/>
配置,它就可以工作。为什么?
https://stackoverflow.com/questions/2781683
复制相似问题