Обновление: я могу сделать эту работу, используя DisableLoopbackCheck , но я бы предпочел решение, которое не требует отключения функций безопасности.
Получениеошибка подключения к веб-API службы организации Dynamics 2011 CRM:
«Ошибка согласования интерфейса поставщика поддержки безопасности (SSPI)».
Среда выглядит следующим образом:
- MS Dynamics 2011 CRM on-prem
- Клиентское веб-приложение .NET на ЖЕ СЕРВЕР
NB Клиентское приложение используется уже несколько лети работает нормально, когда размещается на сервере, отличном от Dynamics.
У меня есть другая консоль .NET, которая использует тот же код для подключения к службе Org, и это работает нормально.Я также перевел код подключения и запроса из проблемного приложения в PowerShell, и это работает нормально.
Я предполагаю, что, поскольку клиент и сервер находятся в одном окне, аутентификация обрабатывается по-разному, ноЯ не понимаю достаточно, чтобы устранить неполадки дальше.Ниже приведены все журналы, которые мне удалось собрать, и код из клиентского приложения.
Ошибка, регистрируемая клиентским приложением:
Exception : The caller was not authenticated by the service.
Trace :
Server stack trace:
at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at (NameSpaceRoot).InfoPathFormSubmissionServices.BusinessLogic.GetWebUserFromWebUserLogon(String webUserLogon)
in (Source Files Path)\InfoPathFormSubmissionServices\InfoPathFormSubmissionServices\BusinessLogic.cs:line 68
at (NameSpaceRoot).InfoPathFormSubmissionServices.InfoPathFormSubmissionServices.SetWebUserStatusToLocked(String webUserLogon)
in (Source Files Path)\InfoPathFormSubmissionServices\InfoPathFormSubmissionServices\InfoPathFormSubmissionServices.asmx.cs:line 123
Журналы IIS для Dynamics:
2019-06-25 23:41:11 fe80::7198:d8b:faac:2f66%12 GET /(Crm_Org)/XRMServices/2011/Organization.svc wsdl+OnBeginRequest:06/25/2019-23:41:11.602+LogEntries:4+SqlCalls:0+SqlCallsMs:0+GC:46+OnEndRequest:23:41:11.605 80 - fe80::7198:d8b:faac:2f66%12 - - 200 0 0 6
2019-06-25 23:41:11 fe80::7198:d8b:faac:2f66%12 GET /(Crm_Org)/XRMServices/2011/Organization.svc wsdl=wsdl0+OnBeginRequest:06/25/2019-23:41:11.613+LogEntries:4+SqlCalls:0+SqlCallsMs:0+GC:46+OnEndRequest:23:41:11.626 80 - fe80::7198:d8b:faac:2f66%12 - - 200 0 0 33
2019-06-25 23:41:11 fe80::7198:d8b:faac:2f66%12 POST /(Crm_Org)/XRMServices/2011/Organization.svc +OnBeginRequest:06/25/2019-23:41:11.948+LogEntries:4+SqlCalls:0+SqlCallsMs:0+GC:46+OnEndRequest:23:41:11.954 80 - fe80::7198:d8b:faac:2f66%12 - - 200 0 0 8
2019-06-25 23:41:11 fe80::7198:d8b:faac:2f66%12 POST /(Crm_Org)/XRMServices/2011/Organization.svc +OnBeginRequest:06/25/2019-23:41:11.960+LogEntries:4+SqlCalls:0+SqlCallsMs:0+GC:46+OnEndRequest:23:41:11.969 80 - fe80::7198:d8b:faac:2f66%12 - - 500 0 0 11
Трассировка сбойного запроса IIS (полная трассировка на https://pastebin.com/4xig9bcv)
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
<EventID>0</EventID>
<Version>1</Version>
<Level>5</Level>
<Opcode>49</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2019-06-25T23:41:11.969Z"/>
<Correlation ActivityID="{00000000-0000-0000-6503-0080020000E3}"/>
<Execution ProcessID="12028" ThreadID="4376"/>
<Computer>(ServerName)</Computer>
</System>
<EventData>
<Data Name="ContextId">{00000000-0000-0000-6503-0080020000E3}</Data>
<Data Name="Buffer"><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action><a:RelatesTo>urn:uuid:c5357be5-13c3-4292-8537-b5b7351075bf</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/trust">a:FailedAuthentication</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-AU">The request for security token could not be satisfied because authentication failed.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope></Data>
</EventData>
<RenderingInfo Culture="en-AU">
<Opcode>GENERAL_RESPONSE_ENTITY_BUFFER</Opcode>
</RenderingInfo>
<ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
<EventGuid>{D42CF7EF-DE92-473E-8B6C-621EA663113A}</EventGuid>
</ExtendedTracingInfo>
</Event>
Трассировка динамики:
>AUTH: AuthenticationProvider [Microsoft.Crm.Authentication.PassThroughAuthenticationProvider] handled request [http://(fqdn)/(crm_org)/XRMServices/2011/Organization.svc] from [fe80::7198:d8b:faac:2f66%12].
[2019-06-24 15:55:53.498] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread: 8 |Category: Platform.Sdk |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: cf76f77c-b8bc-43a0-bcc3-9ecb393e7857 | TraceSource.TraceData ilOffset = 0x68
at TraceSource.TraceData(TraceEventType eventType, Int32 id, Object data) ilOffset = 0x68
at LegacyDiagnosticTrace.TraceEvent(TraceEventType type, Int32 code, String msdnTraceCode, String description, TraceRecord trace, Exception exception, Object source) ilOffset = 0x0
at ExceptionUtility.ThrowHelper(Exception exception, TraceEventType eventType, TraceRecord extendedData) ilOffset = 0x33
at WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy) ilOffset = 0x37B
at SspiNegotiationTokenAuthenticator.ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego) ilOffset = 0x0
at NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request) ilOffset = 0x206
at NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) ilOffset = 0x11
at DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) ilOffset = 0x97
at ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) ilOffset = 0x48
at ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) ilOffset = 0x2B7
at MessageRpc.Process(Boolean isOperationContextSet) ilOffset = 0x65
at ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext) ilOffset = 0x239
at ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext) ilOffset = 0xEC
at ChannelHandler.AsyncMessagePump(IAsyncResult result) ilOffset = 0x39
at ChannelHandler.OnAsyncReceiveComplete(IAsyncResult result) ilOffset = 0x19
at AsyncThunk.UnhandledExceptionFrame(IAsyncResult result) ilOffset = 0x0
at AsyncResult.Complete(Boolean completedSynchronously) ilOffset = 0xC2
at AsyncQueueReader.Set(Item item) ilOffset = 0x2F
at InputQueue`1.Dispatch() ilOffset = 0x129
at ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped) ilOffset = 0x22
at IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped) ilOffset = 0x5
at _IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP) ilOffset = 0x78
>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error">
<TraceIdentifier>http://msdn.microsoft.com/en-AU/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier>
<Description>Throwing an exception.</Description>
<AppDomain>/LM/W3SVC/1/ROOT-1-132058283697551644</AppDomain>
<Exception><ExceptionType>System.ComponentModel.Win32Exception, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The Security Support Provider Interface (SSPI) negotiation failed.</Message>
<StackTrace> at System.ServiceModel.Security.WindowsSspiNegotiation.GetOutgoingBlob(Byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy)
> at System.ServiceModel.Security.SspiNegotiationTokenAuthenticator.ProcessNegotiation(SspiNegotiationTokenAuthenticatorState negotiationState, Message incomingMessage, BinaryNegotiation incomingNego)
> at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.ProcessRequestCore(Message request)
> at System.ServiceModel.Security.NegotiationTokenAuthenticator`1.NegotiationHost.NegotiationSyncInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
> at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)
> at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)
> at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
> at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
> at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
> at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
> at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
> at System.ServiceModel.Dispatcher.ChannelHandler.OnAsyncReceiveComplete(IAsyncResult result)
> at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
> at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
> at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
> at System.Runtime.InputQueue`1.Dispatch()
> at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
> at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
> at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
></StackTrace><ExceptionString>System.ComponentModel.Win32Exception (0x80004005): The Security Support Provider Interface (SSPI) negotiation failed.</ExceptionString>
<NativeErrorCode>8009030C</NativeErrorCode>
</Exception>
</TraceRecord>
Код запроса клиента (не выполняется при обслуживании. Восстановить несколько ...):
public phx_web_user GetWebUserFromWebUserLogon(string webUserLogon)
{
try
{
var webuserExp = new ConditionExpression
{
AttributeName = PhxMetadata.phx_web_user.Fields.phx_username,
Operator = ConditionOperator.Equal,
Values = { webUserLogon }
};
var filtExp = new FilterExpression();
filtExp.AddCondition(webuserExp);
QueryExpression query = new QueryExpression
{
EntityName = phx_web_user.EntityLogicalName,
Criteria = filtExp
};
query.ColumnSet.AllColumns = true;
query.NoLock = true;
var response = service.RetrieveMultiple(query);
if (response.Entities.Count > 0)
return response.Entities[0].ToEntity<phx_web_user>();
else
return null;
}
catch (Exception ex)
{
throw ex;
}
}
Код подключения клиента:
ClientCredentials credentials = new ClientCredentials();
credentials.Windows.ClientCredential = new System.Net.NetworkCredential(Global.crmLogon, Global.crmPassword, Global.crmDomain);
using (_serviceProxy = new OrganizationServiceProxy(Global.organizationUri, Global.homeRealmUri, credentials, null))
{
_serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());
System.ServiceModel.EndpointAddress endpointAdd = new System.ServiceModel.EndpointAddress((Global.organizationUri), System.ServiceModel.EndpointIdentity.CreateDnsIdentity(""));
_serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Address = endpointAdd;
_serviceProxy.Timeout = new TimeSpan(0, 5, 0);
_service = (IOrganizationService)_serviceProxy;
BusinessLogic logic = new BusinessLogic(_service);
using (PhoenixContext srv = new PhoenixContext(_service))
{
// Change statuse to Locked
phx_web_user existingWebUser = new phx_web_user();
phx_web_user tempWebUserRecord = logic.GetWebUserFromWebUserLogon(webUserLogon);
Трассировка WCF: исходящее согласование SSPI клиента
Severity Information
TraceIdentifier http://msdn.microsoft.com/en-
AU/library/System.ServiceModel.Security.SpnegoClientNegotiation.aspx
Description Client's outgoing SSPI negotiation.
AppDomain /LM/W3SVC/3/ROOT-1-132059851767534826
Protocol NTLM
ServicePrincipalName host/
MutualAuthentication False
ImpersonationLevel Impersonate
Трассировка WCF: ошибки - получены после исходящего согласования SSPI
- "Запрос токена безопасности не может быть выполнен из-за сбоя аутентификации."
- "Вызывающая сторона не была аутентифицирована службой."
Трассировка WCF: события сервера
- Информация: «На сервере успешно выполнена олицетворение безопасности» (сразу за ним следует ...)
- Ошибка: «Интерфейс поставщика поддержки безопасности (SSPI)согласование не удалось. "(а затем ...)
- Предупреждение:" Служба sОшибка обработки согласования безопасности. "
Журнал событий безопасности Windows:
- Неудачные попытки входа в систему с использованием учетной записи пользователя, используемой для аутентификации в службе Org.Статус 0xC000006D указывает на неправильное имя пользователя / пароль, но я уверен, что это не так.Те же кредиты успешно работают с удаленного компьютера.