错误消息:由于身份验证失败,无法满足安全令牌的请求
我正在尝试访问 WCF 服务 (MS CRM 2011) 并收到上述错误。如果我使用 Cassini 或 IIS Express 从 VS2010 调试器运行示例程序,效果会很好。没有验证错误。
但是,如果我将网站发布到本地 IIS 7.5(运行 Windows 7 64 位),我会在获取 CRM UserId (WhoAmIResponse) 的线路上收到错误消息。
我打开Fiddler来比较在调试器下运行和在IIS下运行之间的请求。在 IIS 下运行的站点上,该请求甚至从未遇到过,因此在达到这一点之前它一定已经失败了。
发布到 IIS 的网站的 web.config 设置为...
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
该网站在预安装的 ASP.NET v4.0 应用程序池、集成管道模式、ApplicationPoolIdentity 帐户下运行。
这是我的代码...
public class DemoController : Controller
{
public ActionResult Index()
{
ClientCredentials credentials = new ClientCredentials();
credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var _serviceProxy = new OrganizationServiceProxy(new Uri("http://svr-rex2011-dev/TimeEntry/XRMServices/2011/Organization.svc"),
null,
credentials,
null);
// This statement is required to enable early-bound type support.
_serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());
IOrganizationService service = (IOrganizationService)_serviceProxy;
// Display information about the logged on user.
Guid userid = ((WhoAmIResponse)service.Execute(new WhoAmIRequest())).UserId;
SystemUser systemUser = (SystemUser)service.Retrieve("systemuser", userid,
new ColumnSet(new string[] { "firstname", "lastname" }));
// Retrieve the version of Microsoft Dynamics CRM.
RetrieveVersionRequest versionRequest = new RetrieveVersionRequest();
RetrieveVersionResponse versionResponse =
(RetrieveVersionResponse)service.Execute(versionRequest);
ViewBag.FirstName = systemUser.FirstName;
ViewBag.LastName = systemUser.LastName;
ViewBag.Version = versionResponse.Version;
return View();
}
}
有什么想法吗?非常感谢!
I am trying to access a WCF service (MS CRM 2011) and getting the above error. If I run my sample program from the VS2010 debugger with either Cassini or IIS Express it works great. No authentication errors.
However, if I publish the site to my local IIS 7.5 (running Windows 7 64 bit), I get the error on the line that grabs the CRM UserId (WhoAmIResponse).
I opened Fiddler to compare the requests between running under the debugger and running under IIS. On the site running under IIS the request never even comes across, so it must be failing before getting that far.
The site as published to IIS has its web.config set for ...
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
The site is running under the preinstalled ASP.NET v4.0 app pool, Integrated pipeline mode, ApplicationPoolIdentity account.
Here is my code...
public class DemoController : Controller
{
public ActionResult Index()
{
ClientCredentials credentials = new ClientCredentials();
credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var _serviceProxy = new OrganizationServiceProxy(new Uri("http://svr-rex2011-dev/TimeEntry/XRMServices/2011/Organization.svc"),
null,
credentials,
null);
// This statement is required to enable early-bound type support.
_serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());
IOrganizationService service = (IOrganizationService)_serviceProxy;
// Display information about the logged on user.
Guid userid = ((WhoAmIResponse)service.Execute(new WhoAmIRequest())).UserId;
SystemUser systemUser = (SystemUser)service.Retrieve("systemuser", userid,
new ColumnSet(new string[] { "firstname", "lastname" }));
// Retrieve the version of Microsoft Dynamics CRM.
RetrieveVersionRequest versionRequest = new RetrieveVersionRequest();
RetrieveVersionResponse versionResponse =
(RetrieveVersionResponse)service.Execute(versionRequest);
ViewBag.FirstName = systemUser.FirstName;
ViewBag.LastName = systemUser.LastName;
ViewBag.Version = versionResponse.Version;
return View();
}
}
Any ideas? Much appreciated!!!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您描述的情况似乎是这样的:当您的应用程序在 IIS 上运行时尝试访问 CRM 服务时,您会收到身份验证错误。当您从 Visual Studio 或 IIS Express 运行应用程序时,不会出现身份验证错误。
如果这是真的,我很确定您的问题是由于用于为您的应用程序运行 IIS AppPool 的身份造成的。您需要将AppPool身份更改为具有网络的身份访问 CRM 服务。通常它应该是具有正确权限的域帐户,但是可以使用具有相同密码的本地计算机帐户来执行此操作(如果域可用,绝对不建议这样做)。
It seems the situation you are describing is this: you are getting authentication errors when your app tries to access the CRM service when it is running on IIS. When you run your app from Visual Studio or IIS Express then you don't have authentication errors.
If this is true, I'm pretty sure your issue is due to the identity used to run the IIS AppPool for your application. You need to change the AppPool identity to one that has network access to the CRM service. Normally it should be a domain account with the correct permissions but there are ways of doing this using local machine accounts that have the same password (definitely not recommend if a domain is available).
我遇到了同样的问题,就我而言,结果是由于 CRM 是负载平衡的。事实证明,通过 Kerberos 进行身份验证委派在负载平衡体系结构中不起作用。
我们通过 HOST 条目将应用程序直接指向其中一台 CRM 服务器来解决这个问题,这绕过了负载平衡。
我希望这可以节省我花费的几个小时。
I was having the same problem and, in my case, it turned out to be due to the fact that CRM was load-balanced. It turns out that Authentication delegation through Kerberos does not work in load-balanced architectures.
We got around this by pointing our application directly to one of the CRM servers via a HOST entry, which bypassed the load balancing.
I hope that saves someone the several hours it cost me.