我似乎无法根据正在调用我的WCF服务的用户的凭据来授权服务合同操作。
服务Web.Config
<system.serviceModel>
<services>
<service name="WCFService.Service" behaviorConfiguration="DefaultServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8080/WCFService"/>
</baseAddresses>
</host>
<!-- Net.Tcp EndPoints-->
<endpoint address=""
binding="netTcpBinding"
contract="WCFService.IService"
bindingConfiguration="NetTcp_Secured"/>
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTcp_Secured">
<security mode="Transport">
<message clientCredentialType="Windows" />
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="DefaultServiceBehavior">
<serviceMetadata httpGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
客户端Web.Config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="DefaultClientBehavior">
<clientCredentials>
<windows allowNtlm="true"
allowedImpersonationLevel="Delegation" />
<httpDigest impersonationLevel="Impersonation"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint
address="net.tcp://localhost:8080/WCFService/Service.svc"
binding="netTcpBinding"
bindingConfiguration="NetTcpBinding"
behaviorConfiguration="DefaultClientBehavior"
contract="TestWcfService.IService"
name="NetTcpBinding_IService">
</endpoint>
</client>
</system.serviceModel>
服务代码......
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string GetCurrentPrinciple()
{
return "Windows Identity: " + WindowsIdentity.GetCurrent().Name + " \\ " +
"Thread Identity: " + System.Threading.Thread.CurrentPrincipal.Identity.Name;
}
我相信这就是为什么这个属性会导致安全异常......
[PrincipalPermission(SecurityAction.Demand, Name = @"DOMAIN_NAME\User")]
可以在整个服务中调用该方法,这让我觉得安全设置没问题。但是,在服务中运行的上述代码始终返回App Pool标识的名称,而不是调用该服务的用户的标识。
在断点处的服务的即时窗口中执行以下操作将提供以下内容...
? WindowsIdentity.GetCurrent()
{System.Security.Principal.WindowsIdentity}
AuthenticationType: "Negotiate"
Groups: {System.Security.Principal.IdentityReferenceCollection}
ImpersonationLevel: Impersonation
IsAnonymous: false
IsAuthenticated: true
IsGuest: false
IsSystem: false
Name: "IIS APPPOOL\\DefaultAppPool"
Owner: {S-1-5-SAME-AS-BELOW-}
Token: 2300
User: {S-1-5-SAME-AS-ABOVE-}
所以我我认证了 - 我只是没有来电者的名字!
服务和客户端都设置为Windows身份验证。如果我在客户端做到这一点......
protected void Page_Load(object sender, EventArgs e)
{
lblCurrentUser.Text =
"Current Website User: " + HttpContext.Current.User.Identity.Name;
}
...它会返回正确的域名和用户名,因此我知道客户端已通过浏览器正确确认了我的Windows凭据。
我只是不确定我在这里缺少的是为什么服务不会报告客户端凭据。
答案 0 :(得分:0)
您可能需要在客户端级别设置AllowedImpersonationLevel。看看这些文章 - http://msdn.microsoft.com/en-us/library/ms731090.aspx http://blogs.msdn.com/b/asiatech/archive/2009/08/28/how-to-impersonate-or-delegate-a-client-in-wcf.aspx