使用 WCF 服务进行跨域身份验证时出现问题 [英] Problem authenticating with WCF service cross domain

问题描述

我是 WCF 及其安全性的新手，因此我正在寻求有关我遇到的问题的帮助.

I'm new to WCF and its security so was looking for some help on a problem I'm having.

我有一个 WCF 服务，可以部署到一个小域中的每台机器上.WCF 服务将托管在 Windows 服务中，因为其中包含需要提升调用的方法.该服务目前非常草稿(它公开元数据 - 但我相信稍后会关闭 - 这可能吗?).它使用 net.tcp 绑定 - 服务的 App.Config 如下所示:

I have a WCF service that to be deployed to every machine in a small domain. The WCF service is to be hosted in a Windows Service since it has methods in it that need to be invoked elevated. The service is very draft at the moment (it exposes meta-data - but I believe this is to be turned off later - is this possible?). It uses the net.tcp binding - The App.Config of the service is shown below:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <services>
      <service behaviorConfiguration="SvcBehavior" name="Microsoft.ServiceModel.Samples.Svc">
        <endpoint address="" binding="netTcpBinding"
          contract="Microsoft.ServiceModel.Samples.ISvc" />
        <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
          contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="net.tcp://*:8100/ServiceModelSamples/service" />
          </baseAddresses>
          <timeouts closeTimeout="00:10:00" openTimeout="00:10:00" />
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="SvcBehavior">
          <serviceMetadata httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

对于客户，我有一个 Winforms C# 应用程序.该应用程序提供 2 个功能，它从服务中提取静态信息，然后为用户提供身份验证和调用管理方法的选项.因此，身份验证是在客户端级别完成的.

For a client, I have a Winforms C# application. The application serves 2 functions, it pulls static information from the service and then gives the user an option to authenticate and call the administrative methods. Therefore, the authentication is done at client level.

我使用 Channelfactory 连接到服务，因为主机名是可变的(在客户端启动时提示用户输入)并且客户端的 app.config 文件如下所示 - 它几乎是空的:

I am using Channelfactory to connect to the service since the hostname is variable (user is prompted for it on client start-up) and the app.config file for the client is shown below - its virtually empty:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
     </bindings>
    <client />
  </system.serviceModel>
</configuration>

渠道工厂代码为:

[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(Namespace = "http://Microsoft.ServiceModel.Samples", ConfigurationName = "ISvc")]


ChannelFactory<ISvc> myChannelFactory = new ChannelFactory<ISvc>(new NetTcpBinding(), "net.tcp://" + HostName + ":8100/ServiceModelSamples/service");
        public static ISvc client = null;

我也有一个描述服务中方法的接口.

I have an interface that descrives the methods in the service as well.

我遇到的主要问题是这个.假设有 Machine1 和 Machine2 在 domainA 上运行.假设 Machine1 托管服务，Machine2 运行客户端.

The main problem I am having is this. Say there is Machine1 and Machine2 running on domainA. Lets assume that Machine1 hosts the service and Machine2 runs the client.

当我使用域帐户 domainA\User 连接到该服务时，该服务工作正常，但说我在 Machine2 上有一个本地用户并且想要连接到作为 Machine2\LocalUser 服务，我收到以下错误消息:

When I connect to the service using a domain account domainA\User, the service works fine but say I have a local user on Machine2 and want to connect to the service as Machine2\LocalUser, I get the following error message:

服务器拒绝了客户端凭据.

The server has rejected the client credentials.

我曾尝试将安全模式设置为无(这不是我热衷于做的事情)，但随后我收到一条错误消息，指出客户端和服务的配置不匹配.

I have tried experimenting with setting the security mode to none (not something im keen on doing) but then I get an error saying the client and service have a configuration mismatch.

我能做些什么来解决这个问题吗?另外，如果在 domainA\Machine1 上运行的服务被另一个域的用户调用 - 例如 domainB\User2 会发生什么?

Is there something I can do to fix this? Also, what would happen if the service running on domainA\Machine1 was called by a user from another domain - say domainB\User2 ?

提前致谢 - 我很感激对此有一些见解！

Thanks in advance - Id appreciate some insight into this!

查达

推荐答案

如果您关闭服务的安全性，您也必须关闭客户端.如果在代码中配置客户端，则必须为 NetTcpBinding 的新实例设置与在配置文件中的服务相同的配置.

If you turn off security on the service you must turn in off on the client as well. If you configure client in code you must set the same configuration for new instance of NetTcpBinding as you do on the service in configuration file.

当使用 Windows 安全时(NetTcpBinding 的默认设置)MachineB 无法验证来自 MachineA 的本地帐户(有一些关于重复本地用户的技巧，但我不知道它们是否也适用于 WCF).这就是为什么你有一个域.跨域 Windows 身份验证需要域之间的信任.

When Windows security is used (default for NetTcpBinding) MachineB cannot authenticate local accounts from MachineA (there were some tricks with duplicate local users but I don't know if they work with WCF as well). That is why you have a domain. Cross domain windows authentication requires trust between domains.

如果您需要对跨域用户或本地用户进行身份验证，则不能使用 Windows 身份验证.还有其他身份验证机制，但它们需要配置证书(至少在服务上)并使用客户端证书或用户名和密码进行客户端身份验证.

If you need to authenticate cross domain users or local users you cannot use Windows authentication. There are other authentication mechanism but they require configuring certificate (at least on the service) and use either client certificate or user name and password for client authentication.

这篇关于使用 WCF 服务进行跨域身份验证时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！