WCF NetTcpBinding的安全性 - 它是如何工作的? [英] WCF NetTcpBinding Security - how does it work?
问题描述
我遇到的WCF ...
I am encountering the following problems trying to work through the quagmire of settings in WCF...
我创建使用NetTcp绑定一个WCF客户端 - 服务器的服务。我没有对安全设置的更改并在一台机器上运行时,它的工作原理非常漂亮。然而,当我跑我的客户从另一台机器就抱怨说,服务器不喜欢被发送的安全证书。
I created a WCF client-server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didn't like the security credentials that were sent.
我理解的现在的那个NetTCP被固定在默认情况下,我的客户会一直传递错误的安全细节 - 即Windows的用户名和密码(或某种形式的域名认证)来我的服务器,因为它们没有它也不会喜欢同一个域中运行。
I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the Windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked.
不过,我不明白的是如下:
However, what I don't understand is as follows:
我还没有指定的任何安全在我的绑定? - 不标准设置指望Windows用户名或密码发送
I haven't specified any security in my binding - does the standard settings expect a Windows user name or password to be sent?
我没有安装在我的服务器上的任何证书 - 据我所知,NetTCP绑定需要某种形式的公共密钥来保护凭据 - 然而这似乎在客户端和服务器均在同一台机器上工作 - 是如何数据获取加密?或者想要它作为WCF知道这是在同一台机器上,也不需要加密?
I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed?
我不得不为我设置安全模式我的客户端和服务器设置为无,现在,他们很好地连接起来。但是有什么办法没有证书来加密我的数据?
I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there a way to encrypt my data without a certificate?
最后...就是传输和邮件安全之间的区别?
Finally... what is the difference between Transport and Message security?
要检查我的理解(原谅的场景!)消息安全性是一样,如果我派从某甲向某乙,我带$ C $一个字母C我的手写作,以保证如果有人拦截它,他们不能读它?交通运输安全是如果我决定我都信武装运输发送,这样没有人可以一路上得到它?
To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way?
时有可能有任何形式的WCF加密没有证书?我的项目是一个私人项目,我不想购买证书和数据不敏感反正所以它只是为我自己的知识。
Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I don't want to purchase a certificate and the data isn't that sensitive anyway so it's just for my own knowledge.
推荐答案
有关NetTcpBinding的默认客户端凭据类型为Windows身份验证。对于Windows身份验证工作的客户端和服务器必须在同一个域中,或者相互信任域中(在你的情况你没有)。
The default client credential type for NetTcpBinding is Windows Authentication. For Windows Authentication to work both client and server must be in the same domain, or mutually trusting domains (which in your case you do not have).
如果客户端和服务器都在同一个域,WCF将处理Windows身份验证的机制幕后。当客户端和服务器在同一台机器上,他们实际上是相同的领域之内,所以Windows可以使用自己的机制来处理加密和解密。它只会做这种相互信任域内,虽然。
If both client and server were on the same domain, WCF would handle the mechanics of Windows Authentication "behind the scenes". And when both client and server are on the same machine they are effectively within the same domain, so Windows can use its own mechanisms to handle the encryption and decryption. It will only do this within mutually trusting domains, though.
如果您还没有相互信任的客户端和服务器的域,然后在客户端和服务器必须有一些其他的方式,以确定它们是否彼此信任与他们的钥匙。这就是证明进来,客户端和服务器具有其自己的证书(或服务器可以为客户端颁发证书)。
If you don't have mutually trusting client and server domains, then the client and server must have some other way to determine if they trust each other with their keys. That's where certificates come in. The client and the server have their own certificates (or the server can issue the client a certificate).
运输安全是像加密壳外以及内。缺点是,如果你要通过信封的人自己组织之外,他们需要一个解密密钥只知道那里的信封应该去 - 现在他们可以在信封也可以参考消息。在另一方面,运输安全是快 - 它需要较少的安全开销数据得到与您的信封一起传递
Transport security is like encrypting the outside of the envelope as well as the inside. The downside is if you have to pass the envelope to someone outside your own organization, they need a decryption key just to know where the envelope is supposed to go--now they can read the message in the envelope also. On the other hand, transport security is faster--it requires less security overhead data getting passed along with your envelope.
信息安全加密你的消息,但信封可以通过邮政人员(互联网和它的路由器)来读取。只有源和目标有密钥来解密的消息,但中介可以正确路线的消息。
Message security encrypts your message, but the envelope can be read by the postal workers (the internet and its routers). Only the source and the destination have the keys to decrypt the message, but the intermediaries can properly route your message.
要总结:使用加密过NetTcpBinding的客户端和服务器必须是域范围内(或相互信任的域),或者你必须有一个密钥交换证书
To summarize: to use encryption over the NetTcpBinding both client and server must be within a domain (or mutually trusting domains) or you must have a key exchanging certificate.
编辑:有人问我一些例如code - 这里是在XAML绑定元素。它通常会被放置在NetTcpBinding的元件内。
I was asked for some example code--here is a binding element in XAML. It would normally be placed within a netTcpBinding element.
<binding name="Secure" listenBacklog="4000" receiveTimeout="00:20:00" sendTimeout="00:20:01" maxReceivedMessageSize="2147483647" maxConnections="200" portSharingEnabled="true">
<!-- ~2 GB -->
<readerQuotas maxStringContentLength="2147483647"/>
<!-- ~2 GB max string content length -->
<security mode="Message">
<transport clientCredentialType="None" protectionLevel="EncryptAndSign"/>
<message clientCredentialType="None"/>
</security>
</binding>
重要的部分是安全元件。运输安全一会更改mode属性设置为运输。更可能的clientCredentialType更不会是无,而是证书,NTLM或窗口根据上下文。
The important part is the security element. For transport security one would change the mode attribute to "Transport". More than likely the clientCredentialType would not be "None" but rather "Certificate", "Ntlm", or "Windows" depending on the context.
这篇关于WCF NetTcpBinding的安全性 - 它是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
