简体   繁体   English

自托管WCF数据服务上的Kerberos身份验证

[英]Kerberos authentication on a self-hosted WCF Data Service

We have a WCF Data Service which is self-hosted under a Windows service (not using IIS) which we are currently working to secure using SSL and Windows Authentication. 我们有一个WCF数据服务,该服务自托管在Windows服务(不使用IIS)下,我们目前正在使用SSL和Windows身份验证来确保其安全。

After some time playing around with netsh and server certificates, we now have the service secured with SSL and we have also enabled Windows Authentication on the webHttpBinding in our app.config - however we are now seeing some strange behaviour when attempting to authenticate certain users - some can log in fine, others have their credentials rejected and are prompted with HTTP 400 errors. 经过一段时间的netsh和服务器证书试用之后,我们现在已通过SSL保护了该服务,并且还在app.config中的webHttpBinding上启用了Windows身份验证-但是,现在在尝试对某些用户进行身份验证时会看到一些奇怪的行为-一些可以正常登录,另一些可以拒绝其凭据,并提示HTTP 400错误。

After some testing and digging around it would appear that we might be running into this problem , where the authentication header used by Kerberos may be greater than the maximum permitted header length (which I believe is 16k) for certain users - and although there is a documented workaround for IIS, there does not appear to be an equivalent setting we can use for a self-hosted service, or in our app.config - unless I'm missing something? 经过一些测试和深入研究,看来我们可能会遇到此问题 ,其中Kerberos使用的身份验证标头可能大于某些用户允许的最大标头长度(我认为是16k)-尽管存在一个IIS记录的解决方法,似乎没有可用于自托管服务或app.config中的等效设置-除非我遗漏了什么? We tried setting the maxReceivedMessageSize and maxBufferSize fields to their maximum values to see if that would make any difference, but apparently not. 我们尝试将maxReceivedMessageSize和maxBufferSize字段设置为其最大值,以查看是否会有所不同,但显然没有任何区别。

Binding config: 绑定配置:

  <webHttpBinding>
    <binding name="DataServicesBinding"
             maxReceivedMessageSize="2147483647"
             maxBufferSize="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </webHttpBinding>

We've managed to work around this issue temporarily by setting the clientCredentialType in our binding to use Ntlm instead, but we'd like to get Kerberos working if possible for obvious reasons. 我们设法通过在绑定中将clientCredentialType设置为使用Ntlm来暂时解决此问题,但是出于明显的原因,我们希望尽可能地使Kerberos运行。

So, as it turns out, this was caused by our service not being configured with a SPN (Service Principal Name). 因此,事实证明,这是由于我们的服务未配置SPN(服务主体名称)引起的。 This can be done using the setspn tool with Windows Server. 可以使用Windows Server的setspn工具来完成此操作。 (See this MSDN article for more information.) (有关更多信息,请参见此MSDN文章 。)

Once the SPN was applied, Kerberos authentication started to work as expected. 应用SPN后,Kerberos身份验证开始按预期工作。

Use wireshark to see what the client sends. 使用wireshark查看客户端发送的内容。 Make sure that this input is correct and then come back. 确保此输入正确,然后再返回。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM