集群环境中的WCF身份定义
我提前为这个问题的长度表示歉意,但我想确保提供完整的信息,因为我已经研究了几周。
作为这个关于WCF授权错误的问题的后续,我试图确定如何指定服务的 SPN(或者应该是 UPN?)。
目前我的问题是,当尝试联系该服务时,我会通过负载均衡器。负载平衡器交替将我发送到两个服务器之一:svcserv1 或 svcserv2。我没有在服务代码中指定除负载均衡器域名之外的任何内容,但是当应用程序连接到一台服务器时一切正常,而另一台服务器始终无法进行身份验证。
打开 Kerberos 日志记录后,这是 svcserv1(虚拟服务器)的片段,显示成功。请注意,此成功引用了第二台服务器 (svcserv2),它是物理服务器。
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv2.domain.com
Target Server Info: svcserv2.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
故障发生在与 svcserv1 通信时,如下所示:
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv1.domain.com
Target Server Info: svcserv1.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
Logon Failure:
Reason: An error occurred during logon
User Name: jsweb
Domain:
Logon Type: 3
Logon Process: ˜]
Authentication Package: NTLM
Workstation Name: SVCSERV1
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.36.80
Source Port: 56078
用户“NT AUTHORITY\SYSTEM”的事件查看器中出现“登录失败”响应,因此我假设这就是该服务正在运行的用户。 jsweb id(上面)在 web.config 中设置为模拟身份:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
SPN 为空,所以它默认为 NTLM。这可以在上面“身份验证包”旁边的失败输出中看到。
进一步引用 MSDN 表示“当您使用 NT LanMan (NTLM)对于身份验证,不会检查服务身份,因为在 NTLM 下,客户端无法对服务器进行身份验证。”所以这解释了这个问题,但我一直无法确定解决方案。我尚未为端点指定
<endpoint>
<identity>
<dns value="svcserv"/>
</identity>
</endpoint>
但这不起作用。
我确实发现这篇令人失望的 Microsoft 知识库文章,标题为“通过 Kerberos 进行身份验证委派在负载平衡体系结构中不起作用< /a>' 但我必须相信这是可能的,因为使用负载平衡器并不罕见。 也许我正在追寻自己的尾巴,因为在“设置 Kerberos 中根据集群名称服务主体名称进行身份验证'(特别是阶段 3:客户端管理),其中指出“实际上没有需要在客户端执行的特殊步骤。客户端计算机必须使用在域用户帐户上注册的 SPN”,那么我是否受到服务器管理团队的摆布?
感谢您的任何帮助,并随时要求澄清。
I apologize in advance for the length of this question, but I wanted to be sure to provide complete information as I have been researching it for weeks.
As a followup to this question on WCF authorization errors, I'm trying to determine how to specify the SPN (or should this be a UPN?) for the service.
My issue is currently that when attempting to contact the service I go through a load balancer. The load balancer alternately sends me to one of two servers, svcserv1 or svcserv2. I have not specified anything beyond the load balancer domain name in my service code, yet when the application connects to one server it is fine and the other always fails authentication.
After turning on Kerberos logging, this is a snippet from svcserv1 (a virtual server) which shows the success. Note that this success is referencing the second server (svcserv2), which is a physical server.
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv2.domain.com
Target Server Info: svcserv2.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
The failure is when communicating with svcserv1 and is as follows:
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv1.domain.com
Target Server Info: svcserv1.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
Logon Failure:
Reason: An error occurred during logon
User Name: jsweb
Domain:
Logon Type: 3
Logon Process: ˜]
Authentication Package: NTLM
Workstation Name: SVCSERV1
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.36.80
Source Port: 56078
The 'Logon Failure' response appears in the event viewer from user 'NT AUTHORITY\SYSTEM' so I'm assuming this is who the service is running as. The jsweb id (above) is set up in the web.config as the impersonating identity: <identity impersonate="true" userName="DOMAIN\jsweb" password="password"/>
For this reason it seems to me that it should be generating an SPN (host/hostname) but in the case of a clustered environment it makes more sense that a UPN (username@domainName) should be generated. Sorry if I can't be more specific here. Is there a way for me to see which is being expected/transmitted? This article states that "If you set the SPN or UPN equal to an empty string, a number of different things happen, depending on the security level and authentication mode being used. If you are using transport level security, NT LanMan (NTLM) authentication is chosen." Since I am using
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
and, apparently?, the SPN is blank, then it is defaulting to NTLM. This can be seen in the failure output above next to 'Authentication Package'.
Further referencing MSDN indicates that "When you use NT LanMan (NTLM) for authentication, the service identity is not checked because, under NTLM, the client is unable to authenticate the server." So this explains the issue, but I have not been able to determine the solution. I have not specified the <identity> for the endpoint but have tried to use the clustered domain name ...
<endpoint>
<identity>
<dns value="svcserv"/>
</identity>
</endpoint>
...but this has not worked.
I did find this disappointing Microsoft knowledgebase article titled, 'Authentication delegation through Kerberos does not work in load-balanced architectures' but I have to believe that it is possible since the use of a load balancer is not unusual.
Perhaps I am chasing my own tail since in 'Setting up Kerberos Authentication against the cluster name Service Principal Name' (specifically Phase 3: Administration of Client) it is stated that "There are really no special steps to be performed at the client. The client computer has to use the SPN registered on the domain user account" so am I at the mercy of the server admin team?
Thanks for any help and feel free to ask for clarification.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论