这是否需要为服务器服务帐户启用Windows授权? [英] Does this require windows delegation to be enabled for server service account?
问题描述
我有一个客户端控制台应用程序,该应用程序具有一些用户凭据-域\用户和纯文本密码.客户端应用通过调用LogonUser(dwLogonType:LOGON32_LOGON_NETWORK)win32 API获得该用户的Windowsidentity对象.我使用Windows身份模拟并进行WCF服务调用(托管在其他计算机上). WCF服务配置为使用Windows集成安全性的TCP协议.调用失败,并显示SecurityNegotiation异常,并显示以下错误:远程服务器不满足相互身份验证的要求.
I have a client console application which has got some user credentials - domain\user and plain-text password. The client app obtains windowsidentity object for that user by invoking LogonUser (dwLogonType:LOGON32_LOGON_NETWORK) win32 API. I use windowsidentity to impersonate and make WCF Service call (hosted on different machine). The WCF Service is configured to use TCP protocol with windows integrated security. The call fails with SecurityNegotiation exception with error: The remote server did not satisfy the mutual authentication requirement.
我在这里的假设是,服务器将看到匿名客户端身份,但由于终结点被配置为使用Windows集成身份验证而被拒绝.我的猜测是需要为Windows委派设置服务器帐户.我的猜测正确吗?
My assumption here is that the server sees anonymous client identity which it rejects because the endpoint is configured to use windows integrated authentication. My guess is that the server account needs to be set for windows delegation. Is my guess correct?
还
- 我对dwLogonType = LOGON32_LOGON_NETWORK的选择是否正确?
- LogOnUser返回的令牌(dwLogonType = LOGON32_LOGON_NETWORK)是否可以用于进行远程WCF调用?
推荐答案
要假冒的人如果要使用用户身份访问网络资源,则应具有委派权限.在上述方案中,客户端帐户(在其下运行客户端)应该具有委派权限,因为它正在模拟某些用户,并且希望将用户身份推广到远程WCF服务.
The one who is impersonating should have delegation right if it wants to access network resources under user's identity. In the mentioned scenario client account (under which the client is running) should have delegation right since it is is impersonating some user and wants to propogate the user identity to a remote WCF Service.
我对dwLogonType = LOGON32_LOGON_NETWORK的选择是否正确?
Is my choice of dwLogonType = LOGON32_LOGON_NETWORK correct?
不.
LogOnUser返回的令牌(dwLogonType = LOGON32_LOGON_NETWORK)是否可以用于进行远程WCF调用?
Can the token returned by LogOnUser (dwLogonType = LOGON32_LOGON_NETWORK) be used for making remote WCF calls?
使用dwLogonType = LOGON32_LOGON_NETWORK选项,LogonUser返回一个令牌,该令牌不能用于将用户身份传播到网络资源.
With dwLogonType = LOGON32_LOGON_NETWORK option, LogonUser returns a token that cannot be used for propogating user identity to network resources.
带有LogonUser的选项dwLogonType = LOGON32_LOGON_NETWORK_CLEARTEXT解决了该问题.使用该选项,LogonUser生成了一个令牌,该令牌能够以用户身份访问网络资源.
The option dwLogonType = LOGON32_LOGON_NETWORK_CLEARTEXT with LogonUser fixed the issue. With that option LogonUser generated a token that is capable of accessing network resources under user's identity.
我对arx的解决方案给予了高度的评价.只有他的评论我才能解决问题.
I give complete credit to arx for my solution. It is only with his comment I could solve the problem.
这篇关于这是否需要为服务器服务帐户启用Windows授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
