我有一个具有以下配置的WCF服务
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="TransportWithMessageCredential" >
<transport clientCredentialType="None"/>
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="CommonBehavior" name="Megatec.MasterTourService.AdminService">
<endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="Megatec.MasterTourService.Contracts.IAdminServiceWindows" contract="Megatec.MasterTourService.Contracts.IAdminService">
<identity>
<dns value="WCFServer" />
</identity>
</endpoint>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CommonBehavior">
<dataContractSerializer maxItemsInObjectGraph="10000000" />
<serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Megatec.MasterTourService.Security.CustomUserNameValidator, Megatec.MasterTourService.Security" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
代码
public class AdminService : BaseAuthService, IAdminService
{
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public bool HasRole(string roleName)
{
//work with database
}
}
我在IIS 7上托管此服务,对于应用程序池我设置了域用户(Master \ MyLogin)。我需要域用户进行委派(根据step 4)。
当我从本地客户端(同一台计算机,Master \ MyLogin或其他域用户)使用服务时,它工作正常。但是,当我尝试从其他网络计算机使用服务时,它失败了。使用ApplicationPoolIdentity,一切正常。
Master \ MyLogin是有服务的计算机的管理员(但他不是域管理员)。
也许,有权利,应该授予Master \ MyLogin?
更新即可。客户例外。
首先,有SecurityNegotiationException。接下来,我添加了部分
<identity>
<userPrincipalName value="myLogin@Mydomain" />
</identity>
新的异常是MessageSecurityException。
The identity check failed for the outgoing message. The expected identity is "identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)" for the 'net.tcp://dev4-10:5012/IISTest/AdminService.svc/Windows' target endpoint.
我应该如何为客户端和服务配置<identity>?
答案 0 :(得分:2)
不幸的是,Transport / TransportWithMessageCredential安全模式不支持使用客户端凭据进行此类工作。我已按以下方式更改CommonWindowsBinding
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
答案 1 :(得分:1)
我认为您必须使用TransportWithMessageCredential而不仅仅是Transport。只是使用将使您的服务通过HTTPS,但与使用凭据进行身份验证无关。
如果您使用,您可以使用HTTPS并拥有用户名和密码。
如果您确实只想使用传输,请从服务配置中取出节点。