【问题标题】:Share windows identity between WCF services with WSDualHttpBinding使用 WSDualHttpBinding 在 WCF 服务之间共享 Windows 标识
【发布时间】:2019-08-23 13:38:50
【问题描述】:

我在 IIS 7 中分别托管了两个 WCF 服务。第一个服务可从外部调用,并使用带有 Windows 身份验证的WebHttpBinding。第二个服务只被第一个调用,使用WsDualHttpBinding

当第一个服务被调用时,我可以从ServiceSecurityContext.Current.WindowsIdentity.Name获取用户的windows名称。在第二个服务中,这不起作用,ServiceSecurityContext.Current.WindowsIdentity.Name 只是IIS APPPOOL\DefaultAppPool

我将WsDualHttpBinding 配置为使用Windows 身份验证,但这没有帮助。这是服务器端的配置:

<wsDualHttpBinding>
  <binding name="internalHttpBinding">
    <security mode="Message">
      <message clientCredentialType="Windows"/>
    </security>
  </binding>
</wsDualHttpBinding>

这是第一个服务中与第二个服务建立通信的代码:

private WSDualHttpBinding binding = new WSDualHttpBinding();
private ChannelFactory<IMyService> factory;
public IMyService Contract { get; set; }
public MyServiceCallback Callback { get; set; }

public MyService(Uri uri)
{
    EndpointAddress address = new EndpointAddress(uri);
    Callback = new MyServiceCallback();
    var instanceContext = new InstanceContext(Callback);

    binding.Security.Mode = WSDualHttpSecurityMode.Message;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

    factory = new DuplexChannelFactory<IMyService>(instanceContext, binding, address);
    factory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
    factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
    Contract = factory.CreateChannel();

    // Call operations on Contract
}

如何配置第一个服务以将用户的身份传递给第二个服务?

【问题讨论】:

    标签: c# wcf windows-authentication wsdualhttpbinding


    【解决方案1】:

    这似乎是直通身份验证的问题。 首先,您需要处于 Active Directory 环境中。 必须使用 Kerberos 进行身份验证,NTLM 将不起作用。您可以使用 klist 来检查: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

    另见 https://blogs.msdn.microsoft.com/besidethepoint/2010/05/08/double-hop-authentication-why-ntlm-fails-and-kerberos-works/ 求解释。

    这篇 SO 文章可能会有所帮助:

    Pass Windows credentials to remote https WCF service

    还有这个: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf

    【讨论】:

      【解决方案2】:

      在服务器端启用模拟并且客户端设置了windows凭据后,

      ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
                  client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
                  client.ClientCredentials.Windows.ClientCredential.UserName = "Test";
                  client.ClientCredentials.Windows.ClientCredential.Password = "123456";
      

      我们可以使用以下代码检索正在运行的 Windows 帐户。

      if (ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation ||
          ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation)
      {
          using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
          {
              Console.WriteLine("Impersonating the caller imperatively");
              Console.WriteLine("\t\tThread Identity            :{0}",
          WindowsIdentity.GetCurrent().Name);
              Console.WriteLine("\t\tThread Identity level  :{0}",
                   WindowsIdentity.GetCurrent().ImpersonationLevel);
              Console.WriteLine("\t\thToken                     :{0}",
                   WindowsIdentity.GetCurrent().Token.ToString());
          }
      }
      

      请参考以下示例。
      https://docs.microsoft.com/en-us/dotnet/framework/wcf/samples/impersonating-the-client
      https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf
      如果有什么可以帮助的,请随时告诉我。

      【讨论】:

      • 感谢您的建议,但我不想硬编码用户名和密码。正如 Rainer Schaak 的回答中所建议的那样,我现在正在使用 Kerberos 身份验证。
      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2016-06-27
      • 1970-01-01
      • 1970-01-01
      • 2013-02-17
      • 2013-09-14
      相关资源
      最近更新 更多