我有一个带有netTcpBinding绑定的自托管WCF服务。我的服务器和客户端都将在同一个域中,所以我想使用Windows身份验证,但我也希望客户端验证服务器凭据(以避免内部中间人/ dns篡改攻击)。我已经读过这样做的方法是使用SPN,但我似乎无法让它工作;无论spn设置为客户端的工作原理(即服务器和客户端不匹配,但客户端仍然连接)。显然我有一些配置错误,但我不知道在哪里。以下是服务器的服务配置:
<system.serviceModel>
<services>
<service name="AaaAuthService.AaaAuthService" behaviorConfiguration="AaaAuthServiceBehavior">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IAaaAuth" contract="AAA.IAaaAuthService">
<!--
<identity>
<servicePrincipalName value="AaaShlkjhlkjjjjhhhhjjpn/justink-pc.sgasdf1.allamericanasphaltasdf.casdfom"/>
</identity>
-->
</endpoint>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:9000/IAaaAuthService"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="AaaAuthServiceBehavior">
<serviceThrottling maxConcurrentCalls="2147483647" maxConcurrentInstances="2147483647" maxConcurrentSessions="2147483647"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IAaaAuth" closeTimeout="00:00:20" openTimeout="00:00:10" receiveTimeout="00:00:10" sendTimeout="00:00:10" hostNameComparisonMode="StrongWildcard" maxConnections="2147483647">
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
似乎传入了Windows凭据 - 使用帐户信息填充OperationContext.Current.ServerSecurityContext.WindowsIdentity。
我在这里缺少什么?