HttpClient 401 未经授权的异常 'The system cannot contact a domain controller to service the authentication request.'

Question

我在尝试使用 HttpClient 连接到远程 ASP.NET 网络 api 时收到异常的 401 未经授权错误：

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later
at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at eNett.Contracts.Client.ClientApiProxy.<GetUsers>b__26_0(Task`1 response) in C:\eNett\Git\sl-ct\Client\eNett.Contracts.Client\ClientApiProxy.cs:line 361
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()

我有以下设置：

1. ASP.NET Web API 托管在服务器 A

即

HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
            listener.AuthenticationSchemes = 
AuthenticationSchemes.IntegratedWindowsAuthentication;

2. ASP.NET Windows 服务托管在连接到网络的服务器 A/本地主机上 API:

即

     var httpClient = new HttpClient(new HttpClientHandler() 
     { 
     UseDefaultCredentials = true 
     }) 
     { 
        BaseAddress = new Uri(baseUri) 
     };
     var request = new HttpRequestMessage
     {
            Method = HttpMethod.Get,
            RequestUri = BuildUri(relativeUri, parameters),
     };
    httpClient.SendAsync(request, cancellationToken);

身份验证在以下情况下有效：

• 我在本地 PC 上托管网络 api 并使用本地客户端进行呼叫

• 服务器 A 上的 Web api 从我本地 PC 上的 Web 浏览器调用

服务器 A 和我的本地 PC 正在使用：

• 同域
• Web api 和客户端
的相同 AD 凭据
• HTTPS/SSL连接

到目前为止我尝试了很多东西，但任何建议都很好。

更新： 发现环回检查是问题所在 https://blogs.technet.microsoft.com/scottstewart/2014/09/15/disableloopbackcheck-when-routing-through-a-load-balancer-powershell-sample-included/ 通过服务器 A 的 FQDN 请求导致错误，但使用其 IP 有效。现在正在考虑为服务器 A 设置 SPN 以解决此问题。

Answer 1

发现环回检查是问题https://blogs.technet.microsoft.com/scottstewart/2014/09/15/disableloopbackcheck-when-routing-through-a-load-balancer-powershell-sample-included/通过服务器 A 的 FQDN 请求导致错误，但使用其 IP 有效。现在正在考虑为服务器 A 设置 SPN 以解决此问题。