WCF 和传递 Windows 凭据 [英] WCF and passing windows credentials

问题描述

我在 ServerA 上托管了一个网站，该网站使用应用程序池运行，使用具有域权限的特殊用户帐户来访问我们的数据库.在网站的配置文件中我指定:

I have a website hosted on ServerA which runs using an App Pool using a special user accout with domain privilages to access our database. In the config file of the website I specify:

    <identity impersonate="true" />

然后我有一个服务，它也在 ServerA 上并以编程方式托管在控制台应用程序中(即没有配置文件)，如下所示.

I then have a service which is also on ServerA and hosted in a console app programmatically (i.e. no config file) like below.

Uri uri = new Uri("net.tcp://ServerA:9900/Service/");

ServiceHost host = new ServiceHost(typeof(Service1), uri);

NetTcpBinding binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

ServiceEndpoint serviceEndpoint = host.AddServiceEndpoint(typeof(IService1), binding, uri);
EndpointAddress myEndpointAddress = new EndpointAddress(uri, EndpointIdentity.CreateSpnIdentity("MyspnName"));
serviceEndpoint.Address = myEndpointAddress;

host.Open();

当我在本地计算机上打开浏览器并访问该网站时，该网站尝试连接到 WCF 服务器并返回错误无法满足安全令牌请求，因为身份验证失败."

When I open a browser on my local machine and go to the website the website tries to connect to the WCF server and returns the error "The request for security token could not be satisfied because authentication failed."

网站使用以下代码连接服务:

The website uses the following code to connect to the service:

Uri uri = new Uri("net.tcp://ServerA:9900/Service/");

NetTcpBinding binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

EndpointIdentity epid = EndpointIdentity.CreateSpnIdentity("MyspnName");
EndpointAddress endPoint = new EndpointAddress(uri, epid);
//EndpointAddress endPoint = new EndpointAddress(uri);

ChannelFactory<IService1> channel = new ChannelFactory<IService1>(binding, endPoint);
channel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
IService1 service = channel.CreateChannel();

service.PrintMessage("Print this message!");

对于 PrintMessage，我正在调用的方法，我尝试了 [OperationBehavior(Impersonation = ImpersonationOption.Required)] 和 .. .Allowed .. 但错误是一样的.

For PrintMessage, the method I'm calling, I tried [OperationBehavior(Impersonation = ImpersonationOption.Required)] and .. .Allowed .. but the error is the same.

当我使用 LocalHost 在本地运行网站时，没有错误并且运行完美.而且，当我在 web.config 中更改身份 impersonate="false" 时，它会运行，但我的 Windows 凭据不会传递到 WCF 服务中，这才是重点.

When I run the website locally using LocalHost there is no error and it works perfect. And also when I change identity impersonate="false" in my web.config it runs but my windows credentials don't get passed into the WCF service which is the whole point.

知道我缺少什么吗?请不要提供一般链接，我可能已经看过了！

Any ideas what I'm missing? Pls no general links, I've probably already read it!

非常感谢

推荐答案

如果您使用 Windows 身份验证，您可以在此处获取服务代码中调用者的身份:

If you use Windows authentication, you can grab the identity of the caller in your service code here:

 ServiceSecurityContext.Current.WindowsIdentity

此 WindowsIdentity 包含诸如.Name"属性、用户所属的所有组的.Groups"属性等内容.

This WindowsIdentity contains things like the ".Name" property, the ".Groups" property of all groups the user belongs to, and more.

如果 WindowsIdentity 应该为 NULL，那么您实际上并没有进行 Windows 身份验证.

If the WindowsIdentity should be NULL, then you don't really have Windows authentication happening.

您是否在 IIS 中托管 WCF 服务?哪个版本 - IIS7 是第一个支持 net.tcp 绑定的版本.

Are you hosting your WCF service in IIS? Which version - IIS7 is the first one to support net.tcp binding.

如果您在控制台应用程序中自托管您的服务 - 那么 Windows 身份验证是否有效?在这种情况下，很可能是 IIS7 配置问题.

What if you self-host your service in a console app - does Windows authentication work then? In that case, it would most likely be a IIS7 config issue of sorts.

马克

这篇关于WCF 和传递 Windows 凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！