如何WCF的Windows身份验证工作没有明确设置凭据 [英] How does WCF Windows authentication work without explicitly setting credentials
问题描述
我有一个asp.net web应用程序,使得几个WCF服务调用。 Web应用程序位于www.mydomain.com和服务是services.mydomain.com。它们是由同一个服务器托管。
我刚刚添加安全的端点(bassicHttpBindings)到使用传输安全(HTTPS)和Windows authenication服务:
<绑定名称=WindowsSecuredBinding>
<安全模式=运输>
<运输clientCredentialType =的Windows/>
< /安全>
< /&结合GT;
和配置客户端Web应用程序来使用这些新的安全端点。我期待下一步在Web应用程序设置客户端凭据才能通过Windows身份验证来写一些code。令我惊讶的是,该服务呼叫成功没有设置客户端凭据。我假设它必须在发送的Web应用程序在其下运行,但不知道如何验证该帐户。在其他情况下,我想我已经看到有没有隐含的默认客户端凭据。
所以,我有两个问题:
- 如何认证成功?是否发送应用程序下运行的用户,浏览器用户的凭据,没有凭据?
- 如何调试/日志/跟踪验证过程?我想至少看到的被认证,所以我可以验证安全性的用户名。
- 有了,你有它在服务器和客户端的当前配置客户端发送,它是下运行的creditials。因为凭据类型设置为Windows,导致安全协商Kerberos的检查,如果你是在一个域或NTLM如果它是一个工作组环境。 (更多信息可以在这里找到。)
- 要调试验证过程WCF有一个审核功能可以启用。添加审计指令是这里。
下面是从审计MSDN页面中的重要部分:
<&行为GT;
<行为NAME =myAuditBehavior>
< serviceSecurityAudit auditLogLocation =应用程序
SUP pressAuditFailure =假
serviceAuthorizationAuditLevel =无
messageAuthenticationAuditLevel =SuccessOrFailure/>
< /行为>
< /行为>
和添加行为到服务
<服务类型=[您的服务类型在这里]behaviorConfiguration =myAuditBehavior>
一旦启用了审计,你可以看到所有的授权活动(成功和失败,如果你配置这种方式)。这应该允许您验证您的安全设置是他们的方式,你想它。
如果你碰巧路过所需正在使用ASP.NET Web应用程序(这就是所谓的模拟)上的MSDN文档页面上找到的用户的凭据的功能的 Delagation和WCF 模拟。
I have an asp.net web application that makes calls to several WCF services. The web app is located at www.mydomain.com and the services are at services.mydomain.com. They are hosted from the same server.
I've just added secure endpoints (bassicHttpBindings) to the services that use Transport security (https) and Windows authenication:
<binding name="WindowsSecuredBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
and configured the client web app to use these new secure endpoints. I was expecting the next step to be writing some code in the web app to set the client credentials in order to pass the Windows authentication. To my surprise, the service calls are succeeding without setting the client credentials. I'm assuming it must be sending the account that the web app is running under but don't know how to verify that. In other scenarios I thought I've seen the client credentials having no implicit default.
So I have two questions:
- How is authentication succeeding? Does it send the user the app runs under, the browser user's credentials, no credentials?
- How can I debug/log/trace the authentication process? I'd like to at least see the username that's being authenticated so I can validate the security.
- With your current configuration as you have it on the server and client side the client is sending the creditials that it is running under. Because the credential type is set to Windows that causes the security negotiation to check in Kerberos if you are in a domain or in NTLM if it's a workgroup environment. (More information can be found here.)
- To debug the authentication process WCF has an auditing feature that can be enabled. Instructions for adding auditing are here.
Here's the important parts from the auditing MSDN page:
<behaviors>
<behavior name="myAuditBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="None"
messageAuthenticationAuditLevel="SuccessOrFailure" />
</behavior>
</behaviors>
and adding the behavior to the service:
<service type="[Your service type here]" behaviorConfiguration="myAuditBehavior">
Once auditing is enabled you can see all the authorization activity (success and failure if you configure it that way). This should allow you to validate that your security is setup they way you would like it.
If you happen to need functionality of passing the credentials of the user that is using the ASP.NET web app (this is called Impersonation) the msdn documentation on that is found on this page "Delagation and Impersonation with WCF".
这篇关于如何WCF的Windows身份验证工作没有明确设置凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
