netTCP binding Soap Security Negotiation Failed

北城以北 提交于 2019-12-04 00:36:34

Windows services register themselves with either a User Principal Name or a Service Principal Name (documentation). To quote from that link: "If the service is running under the LocalSystem, LocalService, or NetworkService account, a service principal name (SPN) is generated by default in the form of host/ because those accounts have access to the computer's SPN data. If the service is running under a different account, Windows Communication Foundation (WCF) generates a UPN in the form of @." In fact, this quote is rather similar to what your error message is stating. So it seems that...

a) if the service is running under the Local Service account or similar standard account, then you need to adjust your client configuration file to have this, where the actual server's name is "address" and the endpoint is running on port 4503:

<identity>
     <servicePrincipalName value="host/address:4503" />
</identity>

b) alternately, if you are running under a dedicated service account (let's call it "ServiceAccount" on the domain "MyDomain"), then you want

<identity>
     <userPrincipalName value="ServiceAccount@MyDomain" />
</identity>

Please note that you may need to use the fully-qualified domain name in both cases, including the Forest and Tree levels. For a simple domain inside of your private LAN/WAN, that will mean address.MyDomain.local and ServiceAccount@MyDomain.local. If your domain is in a tree called MyTree then it will be ServiceAccount@MyDomain.MyTree.local; if that is in a forest called MyForest then it will be Serviceaccount@MyDomain.MyTree.MyForest.local (and similar for ServicePrincipalName). The fully-qualified name is needed when you are using Kerberos for authentication.

There is also a dirty hack, as posted here, here, and here, and analysed here.

You can supply a dummy Service Principal Name (SPN). In that case, WCF will not fail, but fall back to NTLM for authentication which doesn't verify the principal.

So, configuration:

    <identity>
      <servicePrincipalName value="dummy" >
    </identity>

and programmatically

    EndpointIdentity identity = EndpointIdentity.CreateSpnIdentity("dummy");

using ChannelFactory:

    Uri uri = new Uri("net.tcp://<myServer>:<myPort>/myServiceAddress");
    ChannelFactory channelFactory = new ChannelFactory<IMyContract>(new NetTcpBinding());
    channelFactory.CreateChannel(new EndpointAddress(uri, identity)

will also work.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!