在跨域上使用Kerberos和SSO进行WCF身份验证 [英] WCF Authentication with Kerberos and SSO on cross domains

问题描述

我们有一个具有两个域(不是子域)的体系结构.

在域A中，我们有一个Winforms客户端(可通过Citrix访问)和一个AD.
在域B中，我们有一个wcf服务，我们想向其中添加身份验证.

我们还需要支持SSO.

Winforms客户端已经针对域A中的AD进行了身份验证，并且具有Kerberos票证(通过Citrix登录时颁发).

我们是否可以在另一个域中运行的wcf服务中验证此kerberos票证?

我们可以为域B中的wcf服务到域A中的AD打开Kerberos和LDAP的端口.我们不允许在域之间建立连接-但我们确实具有LDAP访问权限，并且可以从中复制对象一个广告到另一个广告.

是否可以使用WCF中配置的标准Windows身份验证来验证kerberos票证?如果是这样，您如何配置它以针对另一个AD进行身份验证?

是否可以使用某种kerberos客户端库或使用LDAP进行验证?如果是，怎么办?

We have an architecture with two domains (not subdomains).

In domain A we have a winforms client (Accessed through Citrix) and an AD.
In domain B we have a wcf service, which we would like to add authentication to.

We also need to support SSO.

The winforms client has been authenticated against the AD in domain A and has a Kerberos ticket (issued when logging in through Citrix).

Is it possible for us to verify this kerberos ticket in the wcf service, which is running in another domain?

It is possible for us to open ports for both Kerberos and LDAP from the wcf service in domain B to the AD in domain A. We are not allowed to setup a thrust between the domains - but we do have LDAP access and can copy objects from one AD to the other.

Is it possible to verify the kerberos ticket using standard windows authentication configured in WCF? If so, how do you configure it to authenticate against another AD?

Is it possible to use a kerberos client library of some kind or validate using LDAP? If so, how?

推荐答案

这篇关于在跨域上使用Kerberos和SSO进行WCF身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！