New-WebServiceProxy가 NTLM으로 인증하지 못했습니다.

Question

다소 특이한 문제를 다루고 있습니다. SharePoint 팜에서 목록 서비스를 사용할 필요가 있습니다. Oracle SSO를 통해 연합 된 웹 인증이지만 웹 요청을 수행 할 수있는 자동화를 위해 구성된 계정이 있습니다. AAM을 사용하여 AD에 직접 우회하는 서버 측 자동화를 위해 구성된 "내부"URL이 있으며 다른 모든 항목은 SSO에 푸시됩니다.

다음은 목록 컬렉션을 얻으려고 사용하는 코드입니다 (새 니타 이징 됨).

$username = "DOMAIN\username" 
$password = "somepassword" 
$site = "https://sp.biz.com/sites/SiteCollection" 

$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, (ConvertTo-SecureString $password -AsPlainText -Force) 

$proxy = New-WebServiceProxy -Uri "$site/_vti_bin/Lists.asmx" -Credentials $credentials 

$proxy.GetListCollection() 

해당 코드를 사용할 때 403이 맞았습니다.

는 예외 "0"인수 (들) "GetListCollection"를 호출 : "서버 요청을 처리 할 수 ​​없습니다 ---> 액세스가 거부되었습니다 (HRESULT에서 예외 : 0x80070005입니다 (E_ACCESSDENIED)).."

내부 URL (AAM을 통해 설정)을 사용하고 프런트 엔드 중 하나에서 실행하도록 $ site를 변경하면 목록 수집이 성공적으로 수신됩니다. 이제 처음에는 계정과 권한에 문제가 있다고 생각했지만 Fiddler 캡처를 실행 한 후에는 인증되지 않은 것으로 나타났습니다.

다음의 cURL 명령을 실행하면 인증되어 목록 컬렉션이 반환됩니다. Soap.xml은 WDSL에서 바로 복사 된 기본 GetListCollection 패킷입니다.

curl -v -u 'username':'pass' --ntlm -X POST -H "Content-Type: text/xml" --data-binary @soap.xml https://sp.biz.com/sites/SiteCollection/_vti_bin/Lists.asmx 

다음은 cURL의 결과물을 자세히 보여줍니다.

* STATE: INIT => CONNECT handle 0x600056190; line 1029 (connection #-5000) 
* Hostname was NOT found in DNS cache 
* Trying <IPv6>... 
* STATE: CONNECT => WAITCONNECT handle 0x600056190; line 1082 (connection #0) 
    % Total % Received % Xferd Average Speed Time Time  Time Current 
           Dload Upload Total Spent Left Speed 
    0  0 0  0 0  0  0  0 --:--:-- --:--:-- --:--:--  0* Connected to sp.biz.com (<IPv6>) port 443 (#0) 
* successfully set certificate verify locations: 
* CAfile: /usr/ssl/certs/ca-bundle.crt 
    CApath: none 
* SSLv3, TLS handshake, Client hello (1): 
} [data not shown] 
* STATE: WAITCONNECT => PROTOCONNECT handle 0x600056190; line 1222 (connection #0) 
* SSLv3, TLS handshake, Server hello (2): 
{ [data not shown] 
* SSLv3, TLS handshake, CERT (11): 
{ [data not shown] 
* SSLv3, TLS handshake, Server finished (14): 
{ [data not shown] 
* SSLv3, TLS handshake, Client key exchange (16): 
} [data not shown] 
* SSLv3, TLS change cipher, Client hello (1): 
} [data not shown] 
* SSLv3, TLS handshake, Finished (20): 
} [data not shown] 
* SSLv3, TLS change cipher, Client hello (1): 
{ [data not shown] 
* SSLv3, TLS handshake, Finished (20): 
{ [data not shown] 
* SSL connection using TLSv1.2/DES-CBC3-SHA 
*  SSL certificate verify ok. 
* STATE: PROTOCONNECT => DO handle 0x600056190; line 1241 (connection #0) 
* Server auth using NTLM with user 'DOMAIN\username' 
> POST /sites/SiteCollection/_vti_bin/Lists.asmx HTTP/1.1 
> Authorization: NTLM <snip> 
> User-Agent: curl/7.39.0 
> Host: sp.biz.com 
> Accept: */* 
> Content-Type: text/xml 
> Content-Length: 0 
> 
* STATE: DO => DO_DONE handle 0x600056190; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x600056190; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x600056190; line 1454 (connection #0) 
* HTTP 1.1 or later with persistent connection, pipelining supported 
< HTTP/1.1 401 Unauthorized 
* Server Microsoft-IIS/7.5 is not blacklisted 
< Server: Microsoft-IIS/7.5 
< SPRequestGuid: <snip> 
< WWW-Authenticate: NTLM <snip> 
< X-Powered-By: ASP.NET 
< MicrosoftSharePointTeamServices: 14.0.0.7006 
< X-MS-InvokeApp: 1; RequireReadOnly 
< Date: Fri, 16 Jan 2015 01:02:56 GMT 
< Content-Length: 0 
< Set-Cookie: BIGipServerserver_pool=<snip>; expires=Sat, 17-Jan-2015 01:02:56 GMT; path=/ 
< 
    0  0 0  0 0  0  0  0 --:--:-- --:--:-- --:--:--  0 
* Connection #0 to host sp.biz.com left intact 
* Issue another request to this URL: 'https://sp.biz.com/sites/SiteCollection/_vti_bin/Lists.asmx' 
* STATE: PERFORM => CONNECT handle 0x600056190; line 1601 (connection #-5000) 
* Found bundle for host sp.biz.com: 0x60006aef0 
* Re-using existing connection! (#0) with host sp.biz.com 
* Connected to sp.biz.com (<IPv6>) port 443 (#0) 
* STATE: CONNECT => DO handle 0x600056190; line 1075 (connection #0) 
* Server auth using NTLM with user 'DOMAIN\username' 
> POST /sites/SiteCollection/_vti_bin/Lists.asmx HTTP/1.1 
> Authorization: NTLM <snip> 
> User-Agent: curl/7.39.0 
> Host: sp.biz.com 
> Accept: */* 
> Content-Type: text/xml 
> Content-Length: 353 
> 
} [data not shown] 
* upload completely sent off: 353 out of 353 bytes 
* STATE: DO => DO_DONE handle 0x600056190; line 1314 (connection #0) 
* STATE: DO_DONE => WAITPERFORM handle 0x600056190; line 1441 (connection #0) 
* STATE: WAITPERFORM => PERFORM handle 0x600056190; line 1454 (connection #0) 
* HTTP 1.1 or later with persistent connection, pipelining supported 
< HTTP/1.1 200 OK 
< Cache-Control: private, max-age=0 
< Content-Type: text/xml; charset=utf-8 
* Server Microsoft-IIS/7.5 is not blacklisted 
< Server: Microsoft-IIS/7.5 
< SPRequestGuid: <snip> 
< Set-Cookie: FedAuth=<snip>; expires=Fri, 16-Jan-2015 08:36:07 GMT; path=/; secure; HttpOnly 
< X-SharePointHealthScore: 0 
< X-AspNet-Version: 2.0.50727 
< Persistent-Auth: true 
< X-Powered-By: ASP.NET 
< MicrosoftSharePointTeamServices: 14.0.0.7006 
< X-MS-InvokeApp: 1; RequireReadOnly 
< Date: Fri, 16 Jan 2015 01:02:56 GMT 
< Content-Length: 104088 
< Vary: Accept-Encoding 
< 
{ [data not shown] 
* STATE: PERFORM => DONE handle 0x600056190; line 1626 (connection #0) 
100 101k 100 101k 100 353 219k 762 --:--:-- --:--:-- --:--:-- 219k 
* Connection #0 to host sp.biz.com left intact 

모든 도움을 주시면 대단히 감사하겠습니다. cmdlet이 부족한 경우 PowerShell보다 C# 솔루션에 반대하지 않습니다.

---

2015년 1월 16일 동부 표준시 오후 12시 13분 업데이트 - 난 HighlyUnavailable의 제안을 반영하기 위해 질문을 업데이트하고 피들러 캡처에서 헤더를 포함. 여기

CONNECT sp.biz.com:443 HTTP/1.1 
Host: sp.biz.com 
Connection: Keep-Alive 
HTTP/1.1 200 Connection Established 
FiddlerGateway: Direct 
StartTime: 12:14:46.372 
Connection: close 
------------------------------------------------------------------ 
GET https://sp.biz.com/sites/SiteCollection/_vti_bin/Lists.asmx HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485) 
Host: sp.biz.com 
Connection: Keep-Alive 
HTTP/1.1 200 OK 
Cache-Control: private, max-age=0 
Content-Type: text/html; charset=utf-8 
Server: Microsoft-IIS/7.5 
SPRequestGuid: <snip> 
X-SharePointHealthScore: 0 
X-AspNet-Version: 2.0.50727 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:14:46 GMT 
Connection: keep-alive 
Content-Length: 9066 
Set-Cookie: BIGipServerserver_pool=<snip>; expires=Sat, 17-Jan-2015 17:14:46 GMT; path=/ 
Vary: Accept-Encoding 
------------------------------------------------------------------ 
GET https://sp.biz.com/_vti_bin/Lists.asmx?disco HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485) 
Host: sp.biz.com 
HTTP/1.1 200 OK 
Cache-Control: private 
Content-Type: text/xml; charset=utf-8 
Server: Microsoft-IIS/7.5 
SPRequestGuid: <snip> 
X-SharePointHealthScore: 0 
X-AspNet-Version: 2.0.50727 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:14:46 GMT 
Connection: close 
Content-Length: 747 
------------------------------------------------------------------ 
CONNECT sp.biz.com:443 HTTP/1.1 
Host: sp.biz.com 
Connection: Keep-Alive 
HTTP/1.1 200 Connection Established 
FiddlerGateway: Direct 
StartTime: 12:14:47.505 
Connection: close 
------------------------------------------------------------------ 
GET https://sp.biz.com/_vti_bin/Lists.asmx?wsdl HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485) 
Host: sp.biz.com 
HTTP/1.1 200 OK 
Cache-Control: private 
Content-Type: text/xml; charset=utf-8 
Server: Microsoft-IIS/7.5 
SPRequestGuid: <snip> 
X-SharePointHealthScore: 0 
X-AspNet-Version: 2.0.50727 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:14:46 GMT 
Connection: close 
Content-Length: 72672 
Set-Cookie: BIGipServerserver_pool=<snip>; expires=Sat, 17-Jan-2015 17:14:47 GMT; path=/ 
Vary: Accept-Encoding 
------------------------------------------------------------------ 
CONNECT sp.biz.com:443 HTTP/1.1 
Host: sp.biz.com 
Connection: Keep-Alive 
HTTP/1.1 200 Connection Established 
FiddlerGateway: Direct 
StartTime: 12:14:48.727 
Connection: close 
------------------------------------------------------------------ 
POST https://sp.biz.com/_vti_bin/Lists.asmx HTTP/1.1 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485) 
Content-Type: text/xml; charset=utf-8 
SOAPAction: "http://schemas.microsoft.com/sharepoint/soap/GetListCollection" 
Host: sp.biz.com 
Content-Length: 321 
Expect: 100-continue 
HTTP/1.1 500 Internal Server Error 
Cache-Control: private 
Content-Type: text/xml; charset=utf-8 
Server: Microsoft-IIS/7.5 
X-AspNet-Version: 2.0.50727 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:14:48 GMT 
Content-Length: 459 
Set-Cookie: BIGipServerserver_pool=686493706.47873.0000; expires=Sat, 17-Jan-2015 17:14:48 GMT; path=/ 
------------------------------------------------------------------ 

cURL을 명령의 머리글은 다음과 같습니다

여기 PowerShell 스크립트에서 소독 헤더입니다.

CONNECT sp.biz.com:443 HTTP/1.1 
Host: sp.biz.com:443 
User-Agent: curl/7.39.0 
Connection: Keep-Alive 
Content-Type: text/xml 
HTTP/1.1 200 Connection Established 
FiddlerGateway: Direct 
StartTime: 12:21:07.928 
Connection: close 
------------------------------------------------------------------ 
POST https://sp.biz.com/sites/SiteCollection/_vti_bin/Lists.asmx HTTP/1.1 
Authorization: NTLM <snip>= 
User-Agent: curl/7.39.0 
Host: sp.biz.com 
Accept: */* 
Content-Type: text/xml 
Content-Length: 0 
HTTP/1.1 401 Unauthorized 
Server: Microsoft-IIS/7.5 
SPRequestGuid: <snip> 
WWW-Authenticate: NTLM <snip> 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:21:07 GMT 
Content-Length: 0 
Set-Cookie: BIGipServerserver_pool=<snip>; expires=Sat, 17-Jan-2015 17:21:07 GMT; path=/ 
Proxy-Support: Session-Based-Authentication 
------------------------------------------------------------------ 
POST https://sp.biz.com/sites/SiteCollection/_vti_bin/Lists.asmx HTTP/1.1 
Authorization: NTLM <snip> 
User-Agent: curl/7.39.0 
Host: sp.biz.com 
Accept: */* 
Content-Type: text/xml 
Content-Length: 417 
HTTP/1.1 200 OK 
Cache-Control: private, max-age=0 
Content-Type: text/xml; charset=utf-8 
Server: Microsoft-IIS/7.5 
SPRequestGuid: <snip> 
Set-Cookie: FedAuth=<snip>; expires=Sat, 17-Jan-2015 03:20:50 GMT; path=/; secure; HttpOnly 
X-SharePointHealthScore: 0 
X-AspNet-Version: 2.0.50727 
Persistent-Auth: true 
X-Powered-By: ASP.NET 
MicrosoftSharePointTeamServices: 14.0.0.7006 
X-MS-InvokeApp: 1; RequireReadOnly 
Date: Fri, 16 Jan 2015 17:21:07 GMT 
Content-Length: 66628 
Vary: Accept-Encoding 
------------------------------------------------------------------ 

Answer 1

나는 이것에 대한 해결책을 찾지 못했지만 그 이유를 설명 할 수 있습니다. 우리 환경에서는 SAML v1.1과 함께 Oracle Identity Foundation SSO에 대해 Forms Based Authentication을 사용합니다.

인증을 시도하면 SSO로 리디렉션되지만 클라이언트는 SSO 대신 실제 웹 프런트 엔드에 대해 NTLM을 사용하려고합니다. 이 작업을 수행하려면 요청에 X-FORMS_BASED_AUTH_ACCEPTED: f 헤더를 포함시켜 실제로 NTLM을 사용하여 WFE (SSO 아님)에 대해 인증해야합니다.

다음과 같은 문제가 있습니다. PowerShell의 New-WebServiceProxy에 헤더를 추가 할 수 없습니다 (최대 4.0 개 - 아직 롤아웃하지 않았습니다). 문제가있는 다른 사람들을 위해 내가 할 수있는 유일한 권장 사항은 HighlyUnavailable의 제안을 따르거나 Invoke-WebRequest를 사용하여 직접 SOAP 호출을 작성하는 것입니다.

유일한 문제는 Invoke-WebRequest가 인코딩을 씹을 수 있다는 점입니다. 따라서 여기에서 어떻게 해결했는지 설명합니다. 누군가 인코딩 문제를 해결하기위한 제안을한다면, 나는 모든 귀입니다.

# Set your credentials here. 
$UserName = 'BartSimpson' 
$Password = '3atmMySh0rtz!' 
$Domain = 'SF' 
$SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force 
$Credentials = New-Object System.Management.Automation.PSCredential (($Domain + "\" + $UserName), $SecurePassword) 

# SOAP request headers and body 
$BaseHeaders = @{"X-FORMS_BASED_AUTH_ACCEPTED" = 'f'; 
       "SOAPAction" = "`"http://schemas.microsoft.com/sharepoint/soap/GetListCollection`""; 
       "Content-Type" = "text/xml; charset=utf-8"} 
$SOAP = @" 
<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> 
    <soap:Body> 
    <GetListCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/" /> 
    </soap:Body> 
</soap:Envelope> 
"@ 
# Gives us a random temp file to pipe output to 
$TmpFile = [System.IO.Path]::GetTempFileName() 
Invoke-WebRequest -Uri $URL -Headers $BaseHeaders -Credential $Credentials -Method POST -Body $SOAP -OutFile $TmpFile 
# Get the outfile with UTF8 encoding 
[xml]$Result = Get-Content -Raw -Path $TmpFile -Encoding UTF8 
# Remove the temporary file 
Remove-Item $TmpFile 

는 그것이 갈 길이 방법처럼 보인다,하지만 당신은 PowerShell을 사용하여 주장하는 경우에 작동합니다.

나는 python-suds으로 전환하여 필요한 것을 할 수있었습니다.

Answer 2

여기서 두 가지 근본적으로 다른 기술을 혼합합니다.

$proxy = New-WebServiceProxy -Uri "$site/_vti_bin/Lists.asmx" -UseDefaultCredential $proxy.PreAuthenticate = $TRUE $proxy.Credentials = $credentials

UseDefaultCredential 통과하려고 시도하여 현재 사이트에 Windows 도메인 사용자 로그인. 그러나 자격 증명도 설정하고 있습니다. 일반적으로, 당신은 (http://technet.microsoft.com/en-us/library/hh849841.aspx 참조) 실행중인 컬 명령 -Credential을 사용하여 더 가깝다

-Credential $credentials을 사용 : -u이 동일합니다.

대신 $proxy = New-WebServiceProxy -Uri "$site/_vti_bin/Lists.asmx" -Credential $credentials과 같은 것을 사용해보세요.

그래도 문제가 해결되지 않으면 질문을 편집하여 Oracle SSO 연결에서 반환 된 헤더를 포함 시키십시오. 단순히 자격 증명을 묻는 메시지가 아닌 것일 수도 있습니다.