了解 WCF Windows 身份验证 [英] Understanding WCF Windows Authentication
问题描述
我有一个带有 Windows 身份验证的服务.使用以下代码,我可以获得(通过使用客户端)使用该服务的用户的 Windows 身份.
String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;服务器中的配置为:
<安全模式=消息"><message clientCredentialType="Windows"/></安全></binding> 我也在服务器中读到过,它使用 Kerberos 来实现这一点.
现在,我想了解它在我们公司网络中的重要性.在办公室,用户将使用他们的活动目录凭据登录到他们的桌面.我们的服务托管在名为SERV1"的 Windows 服务器中.
是否只有有权访问(登录)SERV1"的用户才能访问该服务?还是所有能够登录办公网络(使用 Active Directory 凭据)的用户都可以使用该服务?
有没有办法确保只有 CIO 批准的应用程序才能访问该服务,并保持该服务作为经过 Windows 身份验证的服务?
此身份验证检查是针对每个服务操作调用进行还是仅针对第一次调用进行?
服务有什么办法可以知道用户的 Windows 凭据吗?
注意:据我所知,WindowsAuthentication 可以比作会员资格提供者——从一个集中位置提供用户名和密码.它可以与 ASP.Net 成员资格提供程序或 Active Directory 成员资格提供程序进行比较.
进一步阅读:
<块引用>只有有权访问(登录)SERV1"的用户才能访问该服务吗?
是的 - 这就是在 WCF 服务中使用 Windows 凭据的重点.只有在该 Active Directory 域(或与您的域具有双向完全信任关系的单独域)中拥有域帐户的用户才能访问该服务.
<块引用><块引用>还是所有能够登录办公网络(使用 Active Directory 凭据)的用户都可以使用该服务?
WCF 安全边界是 Active Directory 域 - 不是特定的服务器.
<块引用><块引用>有没有办法确保只有 CIO 批准的应用程序才能访问该服务,使该服务保持 Windows 身份验证?
那些CIO 批准"的应用程序与其他应用程序有何不同?WCF 由帐户 访问 - 通常是用户帐户.您可以限制哪些帐户可以访问您的服务(例如,要求这些帐户成为给定 AD 组的成员或其他内容).您不能真正基于应用程序进行限制"(仅当这些应用程序使用特定的应用程序级帐户来访问您的 WCF 服务时)
<块引用><块引用>此身份验证检查是针对每个服务操作调用进行还是仅针对第一次调用进行?
取决于您的服务 - 如果您使用每次调用 WCF 服务,则每次调用都会进行检查.如果您使用打开安全协商"的每会话 WCF 服务,则检查会在会话开始时发生一次,直到会话结束时才会发生.
<块引用><块引用>服务有什么办法可以知道用户的 Windows 凭据吗?
是 - OperationContext.Current.ServiceSecurityContext.WindowsIdentity 是 用于调用您的服务的 Windows 凭据(Windows 身份).不仅仅是用户名.....
I have a service with windows authentication. Using the following code, I can get the Windows Identity of the user who (by using the client) consumes the service.
String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;
The configuration in the server is:
<binding name="messageSecurity">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>
I also read that in the server, it is using Kerberos for this to work.
Now, I am trying to understand its significance in our corporate network. In the office, users will be logging into their desktops using their active directory credentials. Our service is hosted in a windows server named "SERV1" .
Is only users who have access (to login) to "SERV1" can access the service? Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?
Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?
Does this authentication check happen for each service operation call or only for the first call?
Is there any way the service will be able to know the windows credentials of the user?
Note: What I understand is WindowsAuthentication can be compared to a Membership provider - providing username and password from a centralized location. It can be compared to ASP.Net Membership Provider or Active Directory Membership Provider.
Further reading:
ASP.NET Active Directory Membership Provider and SQL Profile Provider
http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel
Can only users who have access (to login) to "SERV1" access the service?
Yes - that's the point of using Windows credentials in a WCF service. Only users which have a domain account in that Active Directory domain (or a separate domain which has a bidirectional full-trust relationship with your domain) will be able to access the service.
Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?
The WCF security boundary is the Active Directory Domain - not a particular server.
Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?
How are those "CIO-approved" applications different from others? WCF is accessed by accounts - typically user accounts. You can limit which accounts have access to your service (by e.g. requiring those accounts to be member of a given AD group or something). You cannot really "limit" based on applications (only if those applications use specific application-level accounts to access your WCF service)
Does this authentication check happen for each service operation call or only for the first call?
Depends on your service - if you use a per-call WCF service, then the check happens for each call. If you use a per-session WCF service with "security negotiation" turned on, then the check happens once at the beginning of the session and not anymore until the session ends.
Is there any way the service will be able to know the windows credentials of the user?
Yes - OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (the Windows identity) used to call your service. It's a lot more than just the user name.....
这篇关于了解 WCF Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
