问题描述
我有一个在群集环境中托管的Web服务.调用此服务的Web应用程序也托管在群集环境中,但是在另一组IIS6服务器上.因此,应用程序服务器为appserv1和appserv2,服务服务器为svcserv1和svcserv2.我们不控制访问哪些服务器,因为通常通常分别将它们分别称为appserv或svcserv.
该服务是WCF服务,但已创建为与.Net 2.0 Web Service框架兼容.该应用程序在运行时运行良好,但可能在服务响应的时间> 35%时出现异常:请求失败,HTTP状态为401:未经授权.错误.
I have a web service that is hosted in a clustered environment. The web application that is calling this service is also hosted in a clustered environment, but on a different set of IIS6 servers. Hence, the application servers are appserv1 and appserv2 and the service servers are svcserv1 and svcserv2. We don't control which servers are accessed since we typically just refer to them as either appserv or svcserv, respectively.
The service is a WCF Service but has been created to be compatible with the .Net 2.0 Web Service framework. The application runs fine, when it runs, but probably > 35% of the time the service responds with an Exception: The request failed with HTTP status 401: Unauthorized. error.
我见过其他建议直接设置凭据的人,我的应用程序正在执行以下操作.
I've seen others that recommend setting the credentials directly and my application is doing this as follows.
Dim cc As New CredentialCache()
Dim service As WCFServiceRef.Reports
service = New WCFServiceRef.Reports
service.Url = serviceURL
cc.Add(New Uri(service.Url), "Negotiate", New NetworkCredential("username", "password"))
service.Credentials = cc
reportData = service.GenerateReport(reportid, True, parameters, "PDF", Environment)
我还尝试通过更改参考URL来直接访问各个服务器,以绕过负载管理器并直接转到服务器的域名,但这没有任何区别.
I have also tried to directly access the individual servers by changing the reference URLs to bypass the load manager and go directly to the domain name for the server but this hasn't made any difference.
我也看到了此 MSDN KB文章,但是由于我没有直接访问权限服务器配置(而且很难进行任何更改),我想确保在应用程序方面没有我可以做的事情.请注意,该服务器已配置为Windows身份验证,并且不允许匿名访问.
I have also seen this MSDN KB article but since I don't directly have access to the server configuration (and it's difficult to get anything changed) I wanted to be sure there isn't something I can do from the application side. Note that the server has been configured for Windows Authentication and does not allow anonymous access.
谢谢!
推荐答案
很多情况取决于您的身份验证尝试是使用Kerberos还是使用NTLM.我建议使用Fiddler之类的工具来捕获从您的应用服务器发送的数据包,以验证所使用的身份验证协议.
A lot of this depends on whether your authentication attempts are using Kerberos or falling back to NTLM. I would suggest using a tool like Fiddler to capture packets being sent from your app server to validate what authentication protocol is being used.
如果发现使用的是Kerberos,请尝试以下操作:
If you find you're using Kerberos, here's a few things to try:
- 让您的管理员在两台服务器上启用Kerberos错误日志记录,然后重新尝试进行身份验证并检查事件日志中是否存在任何Kerberos错误.请参见 http://support.microsoft.com/kb/262177 .
- 检查为您的服务注册的SPN-假设您的服务的FQDN为myservice.prd.ad,则您需要两个SPN-如果您的IIS6应用程序池未作为服务运行,则应将它们注册到托管您的服务的服务器上帐户,否则应注册到服务帐户:
- HTTP/MYSERVICE.PRD.AD
- HTTP/MYSERVICE
- Get your admins to enable Kerberos error logging on both servers, then reattempt the authentication and check for any Kerberos errors in the event logs. See http://support.microsoft.com/kb/262177.
- Check the SPNs registered for your service - assuming the FQDN of your service is myservice.prd.ad you would want two SPNs - they should be registered to the servers hosting your service if your IIS6 app pool is not running as a service account, and should be registered to the service account otherwise:
- HTTP/MYSERVICE.PRD.AD
- HTTP/MYSERVICE
希望这会有所帮助.如果您使用的是NTLM,那么不幸的是,由于我习惯于仅在Kerberos的环境中工作,因此我的想法并不多.
Hopefully that helps a bit. If you're using NTLM then I unfortunately don't have many ideas as I'm used to working in Kerberos-only environments.
这篇关于服务器间歇性的"401:未经授权"异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!