[英]WCF Security: incorrect credentials getting passed to service
I have a problem where I am connecting to a WCF service from ISS and it's passing in the IIS application pool credentials instead of my windows credential. 我在从ISS连接到WCF服务时遇到问题,它正在传递IIS应用程序池凭据而不是Windows凭据。 When i run the website locally by hitting F5 in VS it passes in my windows credentials which is what i want.
当我通过在VS中按F5在本地运行网站时,它将传入我想要的Windows凭据。
My website is setup to use Windows Authentication and anonymous auth is turned off. 我的网站设置为使用Windows身份验证,并且匿名身份验证已关闭。
I can see in the Windows Event Viewer that it's not using Kerberos to connect to the box IIS is on, it's using NTLM. 我可以在Windows事件查看器中看到,它没有使用Kerberos连接到IIS处于打开状态的框,而是在使用NTLM。 But i can see that it's using Kerberos when going from IIS to my WCF service by using:
但是我可以看到,从IIS到WCF服务时,它使用以下方法使用Kerberos:
OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString()
I think it should be using Kerberos when connecting to the IIS box so an ideas there would be appreciated? 我认为在连接到IIS盒时应该使用Kerberos,这样您的想法会受到赞赏吗?
The boxes and user are setup to allow delegation and i have enables NETTCP communication etc on my 框和用户已设置为允许委派,并且我已启用NETTCP通信等
Here is my host config which is hosted using a console app on the same server as the IIS server: 这是我的主机配置,该主机配置是使用控制台应用程序与IIS服务器位于同一服务器上承载的:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="defaultBinding" closeTimeout="02:02:00" openTimeout="02:01:00"
receiveTimeout="02:10:00" sendTimeout="02:02:00" maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647">
<security mode="Transport" >
<transport clientCredentialType="Windows"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="defaultClientBehavior">
<clientCredentials />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ServiceConfigBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
<serviceCredentials>
<windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="false" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceConfigBehavior"
name="ServiceConfig">
<endpoint address="" behaviorConfiguration="" binding="netTcpBinding"
bindingConfiguration="defaultBinding" contract="IServiceConfig">
<identity>
<servicePrincipalName value="nettcp/RDM" />
<dns value="" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://ServerName:8731/ServiceConfig/" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
</configuration>
Here is my client config: 这是我的客户端配置:
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IServiceConfig" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://syrwp01:8731/ServiceConfig/"
behaviorConfiguration="defaultClientBehavior" binding="netTcpBinding"
bindingConfiguration="NetTcpBinding_IServiceConfig" contract="ServiceReference1.IServiceConfig"
name="NetTcpBinding_IServiceConfig">
<identity>
<servicePrincipalName value="nettcp/RDM" />
</identity>
</endpoint>
</client>
</system.serviceModel>
And here's the service method that's called: 这就是所谓的服务方法:
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public string PrintMessage(string msg)
{
Console.WriteLine(DateTime.Now.ToString());
WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
Console.WriteLine("AuthenticationType: " + OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString());
Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);
using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);
}
Console.WriteLine("Method called successfully!");
}
Sounds like a case of the Double Hop Problem . 听起来像是双跳问题 。 The server can't pass along impersonation of credentials it received over the network to another host in most situations.
在大多数情况下,服务器无法将通过网络收到的凭据的模拟传递给另一台主机。
Here's a blog post describing this phenomenon in more detail. 这是一篇博客文章 ,更详细地描述了这种现象。
Make sure that you specify 确保您指定
<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
This ensures that Anonymous Login is not allowed. 这样可以确保不允许匿名登录。
Additionally, if you want to pass your creds to the WCF Service you need to use Delegation. 此外,如果您想将凭据传递给WCF服务,则需要使用“委托”。 Create a behavior in your websites web.config like this:
在您的网站web.config中创建如下行为:
<behaviors>
<endpointBehaviors>
<behavior name="DelegationBehavior">
<callbackDebug includeExceptionDetailInFaults="true" />
<clientCredentials>
<windows allowedImpersonationLevel="Delegation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
and use it in your endpoint via behaviorConfiguration="DelegationBehavior"
. 并通过
behaviorConfiguration="DelegationBehavior"
在您的端点中使用它。
If this does not work, try to add <serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" />
to the <serviceBehavior>
-Tag in the WCF's web.config. 如果这不起作用,请尝试将
<serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" />
到WCF的web.config中的<serviceBehavior>
-Tag中。
And don't forget to decorate your WCF methods with: 并且不要忘记用以下方法装饰WCF方法:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
or, alternatively you can impersonate every call via an additional tag in <serviceBehavior>
: 或者,您也可以通过
<serviceBehavior>
的附加标签来模拟每个呼叫:
<serviceAuthorization impersonateCallerForAllOperations="true" />
I'm currently experiencing another issue, but my configuration that should work for your scenario is posted here: My Stackoverflow Post 我当前遇到另一个问题,但是我的配置适用于您的情况,发布在这里: 我的Stackoverflow发布
I know this is a very old post, but hopefully this was helpful to someone experiencing the same problem. 我知道这是一篇很老的文章,但希望这对遇到相同问题的人有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.