带有 Kerberos 身份验证的 ASP.NET HttpWebRequest

发布于 2024-09-19 10:06:50 字数 2049 浏览 3 评论 0原文

我正在尝试连接到使用 Kerberos 身份验证来授权用户的 Web 服务,但每次尝试发出请求时,我得到的都是未经授权的 401。下面是我正在使用的代码。预先感谢您提供的任何帮助!

    public XPathNavigator GSASearch(string url, string searchString)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.Credentials = CredentialCache.DefaultCredentials;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

编辑:我觉得我应该更多地解释一下我正在尝试做的事情。我的任务是为我公司的 Google Search Appliance 提供新界面。我正在使用 ASP.NET 页面,该页面执行一些操作,例如根据用户所在位置选择集合等,然后向 GSA 发送适当的搜索字符串。这一切都运行良好,直到他们决定打开身份验证,现在我无法得到任何结果(我要么收到 401 未经授权,要么收到一条消息,指出“根级别的数据无效”)。如果我获取搜索字符串并将其直接提供给 GSA,它会很好地进行身份验证并显示结果,但我似乎无法通过 HttpWebRequest 获取它。

编辑 2:我做了更多的查看(通过 Fiddler 运行请求),看起来该请求只是尝试协商而不是 Kerberos。我将凭据设置为显式使用 Kerberos,如下所示,但这没有帮助...

    public XPathNavigator GSASearch(string url, string searchString)
    {
        CredentialCache credCache = new CredentialCache();
        credCache.Add(new Uri(url), "Kerberos", CredentialCache.DefaultNetworkCredentials);

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.PreAuthenticate = true;
        request.Credentials = credCache;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        //StreamReader readStream = new StreamReader(receiveStream);

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

编辑 3:好的,再次仔细观察,CredentialCache.DefaultCredentials 中似乎没有我的网络凭据...

I am trying to connect to a web service that uses Kerberos Authentication to authorize the user, but all I get is a 401 unauthorized everytime I try to make the request. Below is the code that I am using. Thanks in advance for any help you can provide!

    public XPathNavigator GSASearch(string url, string searchString)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.Credentials = CredentialCache.DefaultCredentials;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

EDIT: I feel I should explain a bit more what I am attempting to do. I have been tasked with providing a new interface for my company's Google Search Appliance. I am using an ASP.NET page, which does some things like choose a Collection depending on where a user is located, etc. and then sends the appropriate search string the the GSA. This was all working well until they decided to turn authentication on, and now I can't get any results (I either get a 401 unauthorized, or a message stating that 'Data at the root level is invalid'). If I take the search string and provide it directly to the GSA, it authenticates fine, and displays the results, I just can't seem to get it through the HttpWebRequest.

EDIT 2: I did a little more looking (ran the request through Fiddler) and it looks like the request is only attempting Negotiate and not Kerberos. I set the credentials to use Kerberos explicitly as below, but it didn't help...

    public XPathNavigator GSASearch(string url, string searchString)
    {
        CredentialCache credCache = new CredentialCache();
        credCache.Add(new Uri(url), "Kerberos", CredentialCache.DefaultNetworkCredentials);

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.PreAuthenticate = true;
        request.Credentials = credCache;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        //StreamReader readStream = new StreamReader(receiveStream);

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

EDIT 3: Ok, looking closer again, the CredentialCache.DefaultCredentials doesn't appear to have my network credentials in it...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

汐鸠 2024-09-26 10:06:51

1) 您是否使用浏览器对 GSA 的成功会话进行了wireshark 跟踪?那有用吗?

2) 如果#1 有效,那么 GSA 在第一个未经身份验证的请求上发送的 WWW-Authenticate 标头是什么?

3) 运行 ASPX 应用程序的计算机是否属于 GSA 所在的同一 AD 域? AFAIK 这可能是成功验证所必需的。

4) 接下来,由于是 ASPX 应用程序执行请求,因此您不能使用 DefaultCredentials,因为您实际上需要 GSA 信任的用户的凭据。为此,您应该为与 GSA 通信的应用程序创建一个特殊的用户帐户,或者让每个用户成为 GSA 上的受信任用户,并让 ASPX 页面首先对用户进行身份验证,然后使用委派将这些凭据传递给 GDA 。为此,您还必须使运行 ASPX 应用程序的服务器受信任进行委派。

在我看来,您应该首先将代码建模到您运行和调试的控制台应用程序中。然后将其移植到ASPX页面。这样您就能够知道故障是否是由于主机(ASPX 与控制台)或其他原因造成的。

1) Have you done a wireshark trace of a successful session to the GSA using the browser? Does that work?

2) If #1 works, what is the WWW-Authenticate header that is sent by the GSA on the first unauthenticated request?

3) Is the machine on which the ASPX app is running a part of the same AD domain that the GSA is in? AFAIK this is probably required for a successful auth.

4) Next, since it is the ASPX app that is doing the request, you cannot use the DefaultCredentials because you actually need the credentials of a user that is trusted by the GSA. For this you should either create a special user account for the app that is talking to the GSA, or have each user be a trusted user on the GSA and have the ASPX page authenticate the user first, then pass those credentials to the GDA using Delegation. For this you will also have to make the server running the ASPX app trusted for delegation.

In my opinion, you should first model your code into a console app that you run, and debug. Then port it to ASPX page. That way you will be able to know if the failure is due to the host (ASPX vs console) or something else.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文