了解WCF的Windows身份验证 [英] Understanding WCF Windows Authentication

问题描述

我有Windows身份验证的服务。使用下面的code，我可以得到用户的Windows标识谁（通过客户端）占用业务。

 字符串的currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;
 

在服务器的配置：

 ＆LT;绑定名称=messageSecurity＆GT;
＆LT;安全模式=消息＆GT;
＆LT;消息clientCredentialType =的Windows/＆GT;
＆LT; /安全＆GT;
＆LT; /装订＆GT;
 

我也看到，在服务器，它使用Kerberos进行这项工作。

现在，我想了解它在我们的企业网络中的意义。在办公室，用户将登录到其桌面使用Active Directory凭据。我们的服务托管在一个名为SERV1Windows服务器。

1. 只是谁拥有访问权限的用户（登陆）为SERV1可以访问服务？或者，谁能够登录到办公网络（起诉Active Directory凭据），所有用户都将能够使用该服务？

2. 有没有一种方法，以确保只有CIO批准的应用程序将访问的服务，保持服务为窗口验证？

3. 这是否认证检查，对发生的每一个服务操作调用或只对第一个电话吗？

4. 有没有什么办法的服务将能够知道用户的Windows凭据？

注：我的理解是WindowsAuthentication可以比作一个成员提供者 - 从一个中央位置提供的用户名和密码。它可以比较ASP.Net成员资格提供或Active Directory成员资格提供。

延伸阅读：

1. <一个href="http://stackoverflow.com/questions/895002/asp-net-active-directory-membership-provider-and-sql-profile-provider">ASP.NET Active Directory的成员资格提供程序和SQL配置文件提供

2. <一个href="http://stackoverflow.com/questions/5051095/wcf-data-contracts-authorization/5136551#5136551">wcf数据契约授权

3. <一个href="http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel">http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel

解决方案

  

    

只能谁拥有访问权限的用户（登陆）为SERV1访问服务？的

  

是 - 这是使用Windows凭据在WCF服务点。只有那些在Active Directory域（或与您的域双向完全信任的关系，一个单独的域）的域帐户的用户将能够访问该服务。

  

    

或者谁能够登录到办公网络（起诉Active Directory凭据）将能够使用该服务？所有用户的

  

在WCF安全边界是 Active Directory域 - 不是一个特定的服务器

  

    

有没有一种方法，以确保只有CIO批准的应用程序将访问的服务，保持服务为窗口验证？的

  

如何在这些首席信息官认可的应用程序和别人不一样？通常用户帐户 - WCF是帐户访问。您可以限制哪些帐户可以访问你的服务（通过例如要求这些帐户在给定的AD组或某事的成员）。基于应用程序（仅当这些应用程序使用特定的应用程序级的帐户来访问您的WCF服务）

您不能真正地限制

  

    

这是否认证检查，对发生的每一个服务操作调用或只对第一个电话吗？的

  

取决于服务 - 如果你使用的每次通话 WCF服务，然后检查情况为每个调用。如果您使用的每个会话 WCF与安全协商的服务打开，然后检查一次发生在会话的开始，不再直到会议结束。

  

    

有没有什么办法的服务将能够知道用户的Windows凭据？的

  

是 - OperationContext.Current.ServiceSecurityContext.WindowsIdentity 是 Windows凭据（Windows标识）用于调用服务。这是一个很大的不仅仅是用户名.....

以上

I have a service with windows authentication. Using the following code, I can get the Windows Identity of the user who (by using the client) consumes the service.

String currentUser = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;

The configuration in the server is:

<binding name="messageSecurity">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>

I also read that in the server, it is using Kerberos for this to work.

Now, I am trying to understand its significance in our corporate network. In the office, users will be logging into their desktops using their active directory credentials. Our service is hosted in a windows server named "SERV1" .

1. Is only users who have access (to login) to "SERV1" can access the service? Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?

2. Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?

3. Does this authentication check happen for each service operation call or only for the first call?

4. Is there any way the service will be able to know the windows credentials of the user?

Note: What I understand is WindowsAuthentication can be compared to a Membership provider - providing username and password from a centralized location. It can be compared to ASP.Net Membership Provider or Active Directory Membership Provider.

Further reading:

1. ASP.NET Active Directory Membership Provider and SQL Profile Provider

2. wcf data contracts authorization

3. http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel

解决方案

Can only users who have access (to login) to "SERV1" access the service?

Yes - that's the point of using Windows credentials in a WCF service. Only users which have a domain account in that Active Directory domain (or a separate domain which has a bidirectional full-trust relationship with your domain) will be able to access the service.

Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?

The WCF security boundary is the Active Directory Domain - not a particular server.

Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?

How are those "CIO-approved" applications different from others? WCF is accessed by accounts - typically user accounts. You can limit which accounts have access to your service (by e.g. requiring those accounts to be member of a given AD group or something). You cannot really "limit" based on applications (only if those applications use specific application-level accounts to access your WCF service)

Does this authentication check happen for each service operation call or only for the first call?

Depends on your service - if you use a per-call WCF service, then the check happens for each call. If you use a per-session WCF service with "security negotiation" turned on, then the check happens once at the beginning of the session and not anymore until the session ends.

Is there any way the service will be able to know the windows credentials of the user?

Yes - OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (the Windows identity) used to call your service. It's a lot more than just the user name.....

这篇关于了解WCF的Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！