具有企业身份验证和模拟的 Windows 应用商店应用 [英] Windows Store app with enterpriseAuthentication and Impersonation

问题描述

短版:为什么当我模拟 Windows 应用商店应用程序发出的网络请求时，我得到了具有正确用户名的 WindowsIdentity 对象，但其 IsAuthenticated 属性返回 False?从浏览器(包括 Metro IE10)发出相同的请求会得到 IsAuthenticated==true.

Short Version: Why when I impersonate a web-request made by Windows Store app, I get WindowsIdentity object with correct user name, but its IsAuthenticated property returns False? Making same request from a browser (including Metro IE10) gives IsAuthenticated==true.

加长版:
我正在设计一个内部企业解决方案的原型，它由 WCF 服务和 WinJS 应用程序组成.WCF 服务基于 webHttpBinding(即简单的 GET/POST 请求).

Long Version:
I'm prototyping an internal enterprise solution, which consists of WCF-service and WinJS application. WCF-service is based on the webHttpBinding (i.e. simple GET/POST requests).

需要代表用户发出请求来处理某些操作，因此服务被配置为模拟其调用者.这是示例配置:

Certain actions need to be processed on behalf of a user making request, therefore service is configured to impersonate its callers. Here is sample configuration:

<system.serviceModel>
  <bindings>
    <webHttpBinding>
      <binding name="CustomizedWebBinding">
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Windows" />
        </security>
      </binding>
    </webHttpBinding>
  </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="Web">
          <webHttp/>
        </behavior>
      </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="false" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <services>
        <service name="WcfService">
            <endpoint address="" binding="webHttpBinding" bindingConfiguration="CustomizedWebBinding" contract="IWcfService" behaviorConfiguration="Web">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
            <host>
                <baseAddresses>
                    <add baseAddress="http://localhost:8787/" />
                </baseAddresses>
            </host>
        </service>
    </services>
</system.serviceModel>

...和代码:

public class WcfService : IWcfService
{
    [OperationBehavior(Impersonation=ImpersonationOption.Required)]
    public UserInfo GetUserInfo()
    {
        UserInfo ui = new UserInfo();
        WindowsIdentity identity = ServiceSecurityContext.Current.WindowsIdentity;

        ui.UserName = identity.Name;
        ui.IsAuthenticated = identity.IsAuthenticated;
        ui.ImpersonationLevel = identity.ImpersonationLevel.ToString();
        ui.IsAnonymous = identity.IsAnonymous;
        ui.IsGuest = identity.IsGuest;
        ui.IsSystem = identity.IsSystem;
        ui.AuthenticationType = identity.AuthenticationType;

        return ui;
    }
}

因此，此操作只是收集有关调用者的信息并将其以 json 字符串发送回.

So, this operation simply collects information about the caller and sends it back in a json string.

转移到客户端.为了启用自动身份验证，我在 Windows 应用商店应用的清单文件中选中了企业身份验证"、Internet(客户端)"和私有网络".

Moving to the client. To enable automatic authentication I checked "Enterprise Authentication", "Internet (Client)" and "Private Networks" in the Windows Store app's manifest file.

在 Windows Store 应用程序中，我使用 WinJS.xhr 函数发送请求:

From within Windows Store app, I send request using WinJS.xhr function:

    var options = {
        url: "http://localhost:8787/getuserinfo"
    };

    WinJS.xhr(options).then(function (xhrResponse) {
        var userInfoBlock = document.getElementById("userInfoBlock");
        var data = JSON.parse(xhrResponse.response);

        userInfoBlock.innerHTML += "<ul>"

        for (var p in data) {
            if (data.hasOwnProperty(p)) {
                userInfoBlock.innerHTML += "<li>" + p + ": " + data[p] + "</li>";
            }
        }

        userInfoBlock.innerHTML += "</ul>";
    });

现在，当我执行 Windows Store 应用程序并发送请求时，我得到的响应是:

Now, when I execute Windows Store app and it sends request, the response I get is:

AuthenticationType: "NTLM"
ImpersonationLevel: "Impersonation"
IsAnonymous: false
IsAuthenticated: false
IsGuest: false
IsSystem: false
UserName: "TESTBOXdev"

如果我使用浏览器的地址栏发送请求，我会得到相同的响应，唯一的区别是IsAuthenticated: true".

If I send request using browser's address bar, I get same response, with the only difference that "IsAuthenticated: true".

我还注意到，如果我禁用企业身份验证"，它会导致凭据选择器弹出，并且在提供正确的凭据后，我会得到IsAuthenticated: true".

I also noticed that if I disable "Enterprise Authentication", it causes Credentials Picker to popup and after providing correct credentials I'm getting "IsAuthenticated: true".

我是否遗漏了某些东西或对企业身份验证功能期望过高?

Am I missing something or expecting too much from the enterpriseAuthentication capability?

推荐答案

我想我也遇到了同样的问题 (使用 Windows 应用程序中的 Windows 身份验证调用 WCF 服务)，它看起来像具有企业身份验证的 Windows 应用商店应用程序防止使用模拟调用本地主机上的服务.

I think I've stumbled across the same (Calling a WCF service using Windows Auth from a Windows Store App) and it looks like Windows Store Apps with enterprise authentication prevent calls to services on localhost using impersonation.

当我在域中的另一台服务器上托管我的服务时，它工作得很好.

When I hosted my service on another server on the domain it worked just fine.

这篇关于具有企业身份验证和模拟的 Windows 应用商店应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！