我有以下基础设施:
计算机#1,Microsoft SQL Server 2008,在系统帐户下启动。有登录Master\MyLogin(使用Windows Authintification),服务器角色= sysadm,数据库角色= db_owner。
计算机#2,IIS 7.0上的WCF服务。应用程序和站点在帐户Master\IISLogin(IISLogin@myDomain.ru)
配置:
<configuration>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="CommonBehavior" name="MyNameSpace.AdminService">
<endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="IAdminServiceWindows" contract="MyNameSpace.IAdminService">
<identity>
<dns value="WCFServer" />
<userPrincipalName value="IISLogin@myDomain.ru"/>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CommonBehavior">
<dataContractSerializer maxItemsInObjectGraph="10000000" />
<serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyClassFullName, MyDllFullName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
服务有方法
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public bool HasRole(string roleName)
{
//work with database
}
首先使用EF 5.0数据库。连接字符串
"Data Source=Computer1; Initial Catalog=myDB; Integrated Security=True; Multipleactiveresultsets=True; Persist Security Info=True;"
计算机#3,客户端。它有以下配置
<configuration>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="CommonWindowsBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="40000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint name="Megatec.MasterTourService.Contracts.IAdminServiceWindows"
address="net.tcp://Computer2:5012/IISTest/AdminService.svc/Windows"
behaviorConfiguration="CustomBehavior"
binding="netTcpBinding"
bindingConfiguration="CommonWindowsBinding"
contract="Megatec.MasterTourService.Contracts.IAdminService">
<identity>
<dns value="WCFServer" />
</identity>
</endpoint>
</client>
<behaviors>
<behavior name="CustomBehavior">
<dataContractSerializer maxItemsInObjectGraph="10000000"/>
<clientCredentials>
<clientCertificate findValue="WCFClient" x509FindType="FindBySubjectName"
storeLocation="LocalMachine" storeName="My" />
<serviceCertificate>
<defaultCertificate findValue="WCFServer" storeLocation="LocalMachine"
x509FindType="FindBySubjectName" />
<authentication certificateValidationMode="PeerTrust"
revocationMode="NoCheck"
trustedStoreLocation="LocalMachine"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
频道具有以下凭据
channelFactory.Credentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Delegation;
channelFactory.Credentials.Windows.ClientCredential =
System.Net.CredentialCache.DefaultNetworkCredentials;
落在db error
用户&#39; NT AUTHORITY \ Anonymous&#39;登录失败
因此,WCF委派存在一些问题。当我尝试使用简单的username/password身份验证时,它运行正常 - 因此,证书等等都可以。
我在this instruction上做了第4步,但它不起作用。
我的代码或配置可能有问题吗?我该如何解决?
更新即可。
尝试过(没有结果)
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)] =&gt; [OperationBehavior(Impersonation = ImpersonationOption.Required)]
尝试过(没有结果)
在服务方面
ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel =模拟(不是授权!)
当我尝试将IIS池的身份从ApplicationPoolIdentity更改为IISLogin@myDomain.ru时,计算机3上的客户端崩溃了。
答案 0 :(得分:1)
在您的computer3配置中尝试以下操作(代替您当前的<behaviors>...</behaviors>阻止):
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<!--<windows allowNtlm="false" allowedImpersonationLevel="Delegation" />-->
<windows allowNtlm="true" allowedImpersonationLevel="Delegation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
编辑您可能还需要在Computer2上设置Active Directory记录,以允许在“所有类型”(而不仅仅是Kerberos)上将凭证委派给Computer1
答案 1 :(得分:0)
不幸的是,Transport / TransportWithMessageCredential安全模式不支持使用客户端凭据和委派进行此类工作。我已按以下方式更改CommonWindowsBinding
服务器
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
客户端
<binding name="CommonWindowsBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="40000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>