验证当前经过身份验证的Windows用户具有委派权限 [英] Verify that the currently authenticated windows user has delegation rights
问题描述
鉴于我有一个使用Windows身份验证的WCF服务,并且我想模拟它们并调用另一个WCF服务,如下所示:
Given that I have a WCF service using windows authentication, and I want to impersonate them and call another WCF service, like so:
using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
// call another WCF service
}
我已经设置了所有配置设置,并且工作正常,只要在客户端,它们包括以下行:
I've set all the config settings and it works fine, as long as on the client side,they include the following line:
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
但是,如何在尝试进行呼叫之前验证用户令牌具有委派权限?即我无法控制的客户端设置了AllowedPersonationLevel?
But, how do I verify before trying to make the call that the user token has delegation rights? i.e. the client, which I don't control, has set the AllowedPersonationLevel?
如果尚未设置,则会抛出各种奇怪的异常(例如无法加载程序集X等).
If they haven't set it, all sorts of weird exceptions get thrown (like cannot load assembly X etc).
理想情况下,我希望能够执行以下操作:
Ideally, I'd like to be able to do the following:
using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
if (UserDoesntHaveDelegationRights())
throw new SecurityException("No delegation rights");
// call another WCF service
}
请注意,WindowsIdentity.GetCurrent().ImpersonationLevel始终等于TokenImpersonationLevel.Impersonation,因此很遗憾,这不是一个选择.
Note that WindowsIdentity.GetCurrent().ImpersonationLevel is always equal to TokenImpersonationLevel.Impersonation, so that unfortunately is not an option.
推荐答案
这里的定义可能有些混乱.根据模拟级别 Windows身份可以是:
There might be some confusion here in definitions. In terms of impersonation levels a windows identity can be:
- 模拟-服务可以在本地模拟用户
- 已委托-服务可以远程模拟用户
委派功能是如此强大,以至于它在Active Directory中受到严格限制:
The ability to delegate is so powerful that its highly restricted in Active Directory:
- 客户必须允许委派
- 进行委派的服务帐户必须在Active Directory中标记为"受信任的委派".
以下是启用帐户进行委派的方法.需要Active Directory域管理员进行更改.我曾经工作过的每个公司环境都具有不允许委派的政策.
Here's how to enable an account for delegation. It requires a Active Directory domain admin to the make the change. Every corporate environment that I've ever worked in has a policy that does not allow Delegation.
回到您的问题:
因此,尽管TokenImpersonationLevel.Delegation存在,但它被认为存在安全风险,很少(如果有)使用. TokenImpersonationLevel.Impersonation是您可能获得的最高水平.
So while TokenImpersonationLevel.Delegation exists, its considered a security risk and rarely (if ever) used. TokenImpersonationLevel.Impersonation is the highest level that you will probably ever get.
TokenImpersonationLevel.Impersonation是有用的.您仍然可以模拟用户身份连接到数据库或进行远程服务呼叫.但是远程服务(不在同一个盒子上)无法再次模拟用户.基本的经验法则是模拟可以使两台机器跳".如果用户的凭据必须跳"得更远,它将失败.
TokenImpersonationLevel.Impersonation is useful. You can still connect to a database or make a remote service call as the impersonated user. But a remote service (not on the same box) can't impersonate the user a second time. The basic rule of thumb is "impersonation enables two machines hops". If the user's credentials have to "hop" farther, it will fail.
如果需要在许多服务器之间传递用户的凭据,最好的选择是联合安全模型,例如Windows Identity Foundation(WIF).请参见 Active Directory中的身份管理.
If you need to pass a user's credentials between many servers the best choice is a federated security model such as Windows Identity Foundation (WIF). See Identity Management in Active Directory.
这篇关于验证当前经过身份验证的Windows用户具有委派权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
