内联网 - 网络远程的WCF CredentialCache.DefaultNetworkCredentials不工作 [英] Intranet - web to remote wcf CredentialCache.DefaultNetworkCredentials not working
问题描述
我在这添加WCF服务引用WCF驻留在另一台计算机,也期待Windows身份验证IIS托管的ASP.NET MVC Intranet应用程序。
在我的网站这个code是伟大的工作:
代理=新MyProxyClient(ConfigurationName联,remoteAddress);
proxy.ClientCredentials.Windows.ClientCredential.UserName =MyUserName输入;
proxy.ClientCredentials.Windows.ClientCredential.Password =MyPassword输入;proxy.SomeMethod(); //工作的伟大
但是如果我想凭据不硬codeD这样我使用:CredentialCache.DefaultNetworkCredentials是这样的:
代理=新MyProxyClient(ConfigurationName联,remoteAddress);
proxy.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials; proxy.SomeMethod(); //工作不抛出异常
与消息上面code抛SecurityNegotiationException:调用者没有被验证服务。
而内部异常是:作为安全令牌请求不能被满足,因为身份验证失败
我如何传递当前用户的凭据没有硬codeD的用户名和密码WCF服务?
如果您的组织使用常规的Windows身份验证(NTLM)你不能做你想要由于什么一跳的限制:凭证从用户的计算机传递到你的服务器使用的一跳(直接登录到一个外部计算机),这样的凭据不能用于从第一个验证的其他服务器。
更多信息可以使用下面的搜索词中找到: NTLM一跳,即<一href=\"http://blogs.msdn.com/b/besidethepoint/archive/2010/05/09/double-hop-authentication-why-ntlm-fails-and-kerberos-works.aspx\"相对=nofollow>为什么NTLM身份验证失败和Kerberos工作。
标准溶液:
- 的Kerberos(通常需要显著努力获得批准,启用/配置)
- 使用的身份验证比Windows的一些其他形式。试想,如果OAuth是可能的。不要去基本身份验证。
- 切换WCF服务基于声明的身份验证。
- 如果WCF服务可以可以信任来电者来验证传入凭证的详细方法是可能的:
- 运行code。最简单的方法是在您的文章显示什么,但存储域密码(或密码)以纯文本格式是不安全的。你也可以在拥有验证用户的凭证后,访问远程服务和临时恢复模仿特殊凭据运行进程帐户。
- 您还可以配置WCF服务要求客户端证书,并调用WCF服务时,使用这样的证书。这样,WCF服务可以验证,如果来电者是已知的。
根据该标志在本地服务器上,并有权调用服务特定的帐户
I have a ASP.NET MVC intranet application hosted in IIS that added WCF service reference the WCF resides in another computer and also expect windows authentication. In my web this code is working great:
proxy = new MyProxyClient("configurationName", "remoteAddress");
proxy.ClientCredentials.Windows.ClientCredential.UserName = "myUserName";
proxy.ClientCredentials.Windows.ClientCredential.Password = "MyPassword";
proxy.SomeMethod(); //work great
but if I want the credential not to be hardcoded like this I am using: CredentialCache.DefaultNetworkCredentials like this:
proxy = new MyProxyClient("configurationName", "remoteAddress");
proxy.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
proxy.SomeMethod(); //not working throw exception
the above code throw SecurityNegotiationException with message: The caller was not authenticated by the service. and the inner exception is: The request for security token could not be satisfied because authentication failed.
How can I pass the credential of the current user to the WCF service without hardcoded user name and password?
If your organization uses regular Windows authentication (NTLM) you can't do what you want due to "one-hop" restriction: credentials passed from user's computer to your server use "one-hop" (from direct login to one external computer) and such credentials can't be used to authenticate other servers from the first one.
More information can be found using following search term:ntlm one hop,i.e. Why NTLM fails and Kerberos works.
Standard solution:
- Kerberos (often requires significant effort to get approval to enable/configure)
- Use some other form of authentication than Windows. Consider if OAuth is possible. Don't go basic auth.
- Switch WCF service to claims based authentication.
- If WCF service can it can trust caller to verify incoming credentials more approaches are possible:
- Run code under particular account that signs in locally on server and have permissions to call the service. The easiest approach is what shown in your post, but storing domain passwords (or any passwords) in plain text is not secure. One can also run process account under special credentials that have access to the remote service and temporary revert impersonation after verifying user credentials.
- You can also configure WCF service to require client certificate and use such certificate when calling the WCF service. This way WCF service can verify if caller is known.
这篇关于内联网 - 网络远程的WCF CredentialCache.DefaultNetworkCredentials不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
