使用WSDualHttpBinding在WCF服务之间共享Windows身份

时间:2019-08-23 13:38:50

标签: c# wcf windows-authentication wsdualhttpbinding

我在IIS 7中分别托管了两个WCF服务。第一个服务可从外部调用,并使用带有Windows身份验证的WebHttpBinding。第二项服务仅由第一项服务使用WsDualHttpBinding调用。

调用第一个服务时,我可以从ServiceSecurityContext.Current.WindowsIdentity.Name获取用户的Windows名称。在第二项服务中,该功能无效,ServiceSecurityContext.Current.WindowsIdentity.Name只是IIS APPPOOL\DefaultAppPool

我将WsDualHttpBinding配置为使用Windows身份验证,但这没有帮助。这是服务器端配置:

<wsDualHttpBinding>
  <binding name="internalHttpBinding">
    <security mode="Message">
      <message clientCredentialType="Windows"/>
    </security>
  </binding>
</wsDualHttpBinding>

这是第一个服务中与第二个服务建立通信的代码:

private WSDualHttpBinding binding = new WSDualHttpBinding();
private ChannelFactory<IMyService> factory;
public IMyService Contract { get; set; }
public MyServiceCallback Callback { get; set; }

public MyService(Uri uri)
{
    EndpointAddress address = new EndpointAddress(uri);
    Callback = new MyServiceCallback();
    var instanceContext = new InstanceContext(Callback);

    binding.Security.Mode = WSDualHttpSecurityMode.Message;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

    factory = new DuplexChannelFactory<IMyService>(instanceContext, binding, address);
    factory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
    factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
    Contract = factory.CreateChannel();

    // Call operations on Contract
}

如何配置第一个服务以将用户身份传递给第二个服务?

2 个答案:

答案 0 :(得分:1)

这似乎是传递身份验证存在问题。 首先,您需要处于Active Directory环境中。 必须使用Kerberos进行身份验证,NTLM无法正常工作。您可以使用klist进行检查: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

另请参阅 https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/ 进行解释。

也许这篇SO文章可以帮助您

Pass Windows credentials to remote https WCF service

这: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf

答案 1 :(得分:0)

在服务器端启用模拟并且客户端设置了Windows凭据之后,

ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
            client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
            client.ClientCredentials.Windows.ClientCredential.UserName = "Test";
            client.ClientCredentials.Windows.ClientCredential.Password = "123456";

我们可以使用以下代码检索运行中的Windows帐户。

if (ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation ||
    ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation)
{
    using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
    {
        Console.WriteLine("Impersonating the caller imperatively");
        Console.WriteLine("\t\tThread Identity            :{0}",
    WindowsIdentity.GetCurrent().Name);
        Console.WriteLine("\t\tThread Identity level  :{0}",
             WindowsIdentity.GetCurrent().ImpersonationLevel);
        Console.WriteLine("\t\thToken                     :{0}",
             WindowsIdentity.GetCurrent().Token.ToString());
    }
}

请参考以下示例。
https://docs.microsoft.com/en-us/dotnet/framework/wcf/samples/impersonating-the-client
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf
随时让我知道是否有什么可以帮助您的。

相关问题
最新问题