间歇性“401:未经授权”服务器异常
我有一个托管在集群环境中的 Web 服务。调用此服务的 Web 应用程序也托管在群集环境中,但位于一组不同的 IIS6 服务器上。因此,应用程序服务器是 appserv1 和 appserv2,服务服务器是 svcserv1 和 svcserv2。我们不控制访问哪些服务器,因为我们通常将它们分别称为 appserv 或 svcserv。
该服务是 WCF 服务,但已创建为与 .Net 2.0 Web 服务框架兼容。应用程序运行良好,当它运行时,但可能> 35% 的时间服务会响应“异常:请求失败,HTTP 状态 401:未经授权。”错误。
我见过其他人建议直接设置凭据,我的应用程序正在这样做,如下所示。
Dim cc As New CredentialCache()
Dim service As WCFServiceRef.Reports
service = New WCFServiceRef.Reports
service.Url = serviceURL
cc.Add(New Uri(service.Url), "Negotiate", New NetworkCredential("username", "password"))
service.Credentials = cc
reportData = service.GenerateReport(reportid, True, parameters, "PDF", Environment)
我还尝试通过更改引用 URL 来绕过负载管理器并直接访问服务器的域名来直接访问各个服务器,但这没有任何区别。
我还看过这篇 MSDN 知识库文章,但因为我无法直接访问服务器配置(并且很难进行任何更改)我想确保我无法从应用程序方面做任何事情。请注意,服务器已配置为 Windows 身份验证,并且不允许匿名访问。
谢谢!
I have a web service that is hosted in a clustered environment. The web application that is calling this service is also hosted in a clustered environment, but on a different set of IIS6 servers. Hence, the application servers are appserv1 and appserv2 and the service servers are svcserv1 and svcserv2. We don't control which servers are accessed since we typically just refer to them as either appserv or svcserv, respectively.
The service is a WCF Service but has been created to be compatible with the .Net 2.0 Web Service framework. The application runs fine, when it runs, but probably > 35% of the time the service responds with an Exception: The request failed with HTTP status 401: Unauthorized. error.
I've seen others that recommend setting the credentials directly and my application is doing this as follows.
Dim cc As New CredentialCache()
Dim service As WCFServiceRef.Reports
service = New WCFServiceRef.Reports
service.Url = serviceURL
cc.Add(New Uri(service.Url), "Negotiate", New NetworkCredential("username", "password"))
service.Credentials = cc
reportData = service.GenerateReport(reportid, True, parameters, "PDF", Environment)
I have also tried to directly access the individual servers by changing the reference URLs to bypass the load manager and go directly to the domain name for the server but this hasn't made any difference.
I have also seen this MSDN KB article but since I don't directly have access to the server configuration (and it's difficult to get anything changed) I wanted to be sure there isn't something I can do from the application side. Note that the server has been configured for Windows Authentication and does not allow anonymous access.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这在很大程度上取决于您的身份验证尝试是使用 Kerberos 还是回退到 NTLM。我建议使用像 Fiddler 这样的工具来捕获从应用程序服务器发送的数据包,以验证正在使用的身份验证协议。
如果您发现自己正在使用 Kerberos,请尝试执行以下操作:
希望这能有所帮助。如果您使用 NTLM,那么不幸的是我没有太多想法,因为我习惯在仅 Kerberos 的环境中工作。
A lot of this depends on whether your authentication attempts are using Kerberos or falling back to NTLM. I would suggest using a tool like Fiddler to capture packets being sent from your app server to validate what authentication protocol is being used.
If you find you're using Kerberos, here's a few things to try:
Hopefully that helps a bit. If you're using NTLM then I unfortunately don't have many ideas as I'm used to working in Kerberos-only environments.
首先,检查每台机器上的 IIS 日志,看看 401 错误是否来自单台机器。
接下来要检查的是 401 是否与特定 url 相关。
First thing is to check the IIS logs on each machine and see if the 401 errors are coming from a single machine.
The next thing to check is if the 401's are related to specific urls.
另一件需要考虑的事情是:
你需要粘性会话吗?
是否有服务器回收过于频繁?
导致您收到 401 错误的原因有很多,因此您只需仔细研究并找出发生了什么。
Another thing to consider:
Do you need sticky sessions?
Are there servers that are recycling too often?
There's a whole bunch of reasons why you may be getting 401s, so you'll just have to dig around and find out what's going on.