WCF安全性:将错误的凭据传递给服务

时间:2009-09-16 02:01:46

标签: c# .net wcf iis

我有一个问题,我从ISS连接到WCF服务,它传递的是IIS应用程序池凭据,而不是我的Windows凭据。当我通过在VS中点击F5在本地运行网站时,它会传递我的Windows凭据,这就是我想要的。

我的网站设置为使用Windows身份验证,匿名身份验证已关闭。

我可以在Windows事件查看器中看到它没有使用Kerberos连接到IIS所在的框,它正在使用NTLM。但我可以看到它使用Kerberos时从IIS到我的WCF服务使用:

OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString()

我认为在连接到IIS框时应该使用Kerberos所以我们会欣赏那些想法吗?

框和用户设置为允许委派,我已在我的

上启用NETTCP通信等

这是我的主机配置,它使用与IIS服务器相同的服务器上的控制台应用程序托管:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="defaultBinding" closeTimeout="02:02:00" openTimeout="02:01:00"
            receiveTimeout="02:10:00" sendTimeout="02:02:00" maxBufferSize="2147483647"
            maxReceivedMessageSize="2147483647">
          <security mode="Transport" >
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="defaultClientBehavior">
          <clientCredentials />
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="ServiceConfigBehavior">
          <serviceMetadata httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization impersonateCallerForAllOperations="true" />
          <serviceCredentials>
            <windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="false" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="ServiceConfigBehavior"
          name="ServiceConfig">
        <endpoint address="" behaviorConfiguration="" binding="netTcpBinding"
            bindingConfiguration="defaultBinding" contract="IServiceConfig">
          <identity>
            <servicePrincipalName value="nettcp/RDM" />
            <dns value="" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
            contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="net.tcp://ServerName:8731/ServiceConfig/" />
          </baseAddresses>
        </host>
      </service>
    </services>
  </system.serviceModel>
</configuration>

这是我的客户端配置:                                                                         

     </clientCredentials>
    </behavior>
   </endpointBehaviors>
  </behaviors>
  <bindings>
   <netTcpBinding>
    <binding name="NetTcpBinding_IServiceConfig" closeTimeout="00:01:00"
     openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
     transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
     hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
     maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
     <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
      maxBytesPerRead="4096" maxNameTableCharCount="16384" />
     <reliableSession ordered="true" inactivityTimeout="00:10:00"
      enabled="false" />
     <security mode="Transport">
      <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
      <message clientCredentialType="Windows" />
     </security>
    </binding>
   </netTcpBinding>
  </bindings>
        <client>
   <endpoint address="net.tcp://syrwp01:8731/ServiceConfig/"
    behaviorConfiguration="defaultClientBehavior" binding="netTcpBinding"
    bindingConfiguration="NetTcpBinding_IServiceConfig" contract="ServiceReference1.IServiceConfig"
    name="NetTcpBinding_IServiceConfig">
    <identity>
     <servicePrincipalName value="nettcp/RDM" />
    </identity>
   </endpoint>
  </client>
    </system.serviceModel>

这是所谓的服务方法:

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]        
    public string PrintMessage(string msg)
    {
        Console.WriteLine(DateTime.Now.ToString());

        WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
        Console.WriteLine("AuthenticationType: " + OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString());
        Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);

        using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
        {
            Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);
        }
        Console.WriteLine("Method called successfully!");
    }

2 个答案:

答案 0 :(得分:2)

听起来像Double Hop Problem的情况。在大多数情况下,服务器无法将通过网络接收的凭据模拟传递给其他主机。

这是一个blog post更详细地描述这种现象。

答案 1 :(得分:2)

确保指定

<system.web>
   <identity impersonate="true" />
   <authentication mode="Windows" />
   <authorization>
      <deny users="?" />
   </authorization>
</system.web>

这可确保不允许匿名登录。

此外,如果要将您的信用卡传递给WCF服务,则需要使用委派。在您的网站web.config中创建一个行为,如下所示:

<behaviors>
  <endpointBehaviors>
    <behavior name="DelegationBehavior">
      <callbackDebug includeExceptionDetailInFaults="true" />
      <clientCredentials>
        <windows allowedImpersonationLevel="Delegation" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

并通过behaviorConfiguration="DelegationBehavior"在您的终端中使用它。

如果这不起作用,请尝试将<serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" />添加到WCF web.config中的<serviceBehavior> - 标记。

不要忘记用以下方法装饰你的WCF方法:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]

或者,您可以通过<serviceBehavior>中的其他标记模拟每次通话:

<serviceAuthorization impersonateCallerForAllOperations="true" />

我目前遇到了另一个问题,但我的配置应该适合您的方案,请点击此处:My Stackoverflow Post

我知道这是一篇非常古老的帖子,但希望这对遇到同样问题的人有所帮助。

相关问题
最新问题