[英]WCF Rest service Windows authentication via Browser
Given is a wcf rest service which runs with HttpClientCredentialType.Windows and enforces a user to authenticate via kerberos. 给定是一个wcf rest服务,它使用HttpClientCredentialType.Windows运行并强制用户通过kerberos进行身份验证。
private static void Main(string[] args)
{
Type serviceType = typeof (AuthService);
ServiceHost serviceHost = new ServiceHost(serviceType);
WebHttpBinding binding = new WebHttpBinding();
binding.Security.Mode = WebHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
ServiceEndpoint basicServiceEndPoint = serviceHost.AddServiceEndpoint(typeof(IAuthService), binding, "http://notebook50:87");
basicServiceEndPoint.Behaviors.Add(new WebHttpBehavior());
Console.WriteLine("wcf service started");
serviceHost.Open();
Console.ReadLine();
}
public class AuthService : IAuthService
{
public List<string> GetUserInformation()
{
List<string> userInfo = new List<string>();
userInfo.Add("Environment.User = " + Environment.UserName);
userInfo.Add("Environment.UserDomain = " + Environment.UserDomainName);
if (OperationContext.Current != null && OperationContext.Current.ServiceSecurityContext != null)
{
userInfo.Add("WindowsIdentity = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name);
userInfo.Add("Auth protocol = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.AuthenticationType);
}
else
{
userInfo.Add("WindowsIdentity = empty");
}
WebOperationContext.Current.OutgoingResponse.ContentType = "text/plain";
return userInfo;
}
}
[ServiceContract]
public interface IAuthService
{
[OperationContract]
[WebInvoke(Method = "GET", ResponseFormat = WebMessageFormat.Json, UriTemplate = "test/")]
List<string> GetUserInformation();
}
When i run this as a console application, and then open the website http://notebook50:87/test/
in internet explorer from another computer, i get a 'bad request' response. 当我作为控制台应用程序运行它,然后从另一台计算机打开网站http://notebook50:87/test/
在Internet Explorer中时,我收到“错误请求”响应。 I did enable kerberos logging, and it shows me KDC_ERR_PREAUTH_REQUIRED 我确实启用了kerberos日志记录,它显示了KDC_ERR_PREAUTH_REQUIRED
I can solve this problem by creating a windows service, and run it under 'Local System account'. 我可以通过创建Windows服务来解决这个问题,并在“本地系统帐户”下运行它。 In this case, a client is able to authenticate. 在这种情况下,客户端可以进行身份验证。
Question: What permission/settings does a user(which runs this wcf service) need in order to get the same behavior as when the application is running as windows service under local system? 问题:用户(运行此wcf服务)需要哪些权限/设置才能获得与应用程序作为本地系统下的Windows服务运行时相同的行为? Is this related with the Service Principle Name? 这与服务原则名称有关吗?
It is working now. 它现在正在运作。 It really was a problem with the SPN At the beginning, I've set the SPN like setpn -A HTTP/notebook50.foo.com , and with this, the kerberos authentication didn't work. 它确实是SPN的一个问题开始时,我将SPN设置为setpn -A HTTP / notebook50.foo.com ,并且由此,kerberos身份验证不起作用。
Now, i've set it like setspn -A HTTP/notebook50.foo.com username where username is the user under which the service runs. 现在,我将它设置为setspn -A HTTP / notebook50.foo.com username ,其中username是运行服务的用户。
From the SPN documentation i've read, it was not clear to me that i have to set the user account in this way. 从我读过的SPN文档中,我不清楚我必须以这种方式设置用户帐户。
It would be great if one could explain what happens here, and probably a link to a documentation for this scenario. 如果可以解释这里发生的事情,并且可能是这个场景的文档链接,那将是很好的。
您可以通过在Active Directory用户和计算机 - >属性 - >帐户中为该用户帐户启用“不要求Kerberos预身份验证”选项来阻止此错误弹出。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.