简体繁体 English

使用NetTcpBinding在WCF中进行Windows身份验证/加密

[英]Windows Authentication / Encryption in WCF With NetTcpBinding

原文 2009-12-17 16:50:52 9 2 wcf/ nettcpbinding

I'm trying to understand how windows authentication / encryption works with the NetTcpBinding in WCF. 我试图了解Windows身份验证/加密如何与WCF中的NetTcpBinding一起使用。 I need to know exactly what encryption algorithm is used to encrypt the data going across the wire (and some documentation to prove it). 我需要确切地知道使用什么加密算法来加密通过线路传输的数据（以及一些证明它的文档）。 Will windows authentication / encryption still work if the client and or host is not on a domain? 如果客户端和/或主机不在域上，Windows身份验证/加密是否仍然有效？

2 个解决方案

The netTcpBinding using Windows Credentials requires the caller and the service to be on the same domain - or at least on mutually trusting domains. 使用Windows凭据的netTcpBinding要求调用方和服务位于同一个域上 - 或者至少在相互信任的域上。 Otherwise, the server won't be able to verify the Windows credentials and will refuse the service call. 否则，服务器将无法验证Windows凭据并拒绝服务调用。

As for encryption : you can even pick and choose which one you'd like ! 至于加密：你甚至可以选择你喜欢的那个！ :-) TripleDES, AES - you name it, with varying key lengths, too. :-) TripleDES，AES - 您可以使用不同的密钥长度命名。

See the Fundamentals of WCF Security article - it talks about all aspects of security and encryption; 请参阅WCF安全基础文章 - 它讨论了安全性和加密的所有方面; also see the MSDN Docs on Securing Services which goes into some more detail; 另请参阅有关安全服务的MSDN文档，其中有更详细的介绍; a good overview can be found here showing the properties of the basicHttp transport security element. 可以在此处找到一个很好的概述，显示basicHttp传输安全元素的属性。

Last year I had to implement a distributed system using wcf that required a mechanism both safe and performant across all layers of the system. 去年，我不得不使用wcf来实现一个分布式系统，该系统需要一个既安全又高效的系统所有层的机制。 We decided for creating our own security architecture by creating a binary encrypted token. 我们决定通过创建二进制加密令牌来创建自己的安全架构。 The encrypted token contained all permissions a given user had. 加密的令牌包含给定用户拥有的所有权限。

So for example a user would log in into the system and if successfully authenticated it would receive an encrypted token back. 因此，例如，用户将登录到系统，如果成功通过身份验证，则会收到加密的令牌。 This token was stored locally on the web client. 此令牌本地存储在Web客户端上。 All further requests by the user would contain that token. 用户的所有进一步请求都将包含该令牌。 The token was used in several levels of the architecture. 令牌用于架构的多个级别。 The web server would use it to decide what visual elements to enable or disable. Web服务器将使用它来决定启用或禁用哪些可视元素。 Since the service layer was exposed to the internet, each open door would check the token for authentication and check if that token had the proper permission to execute a given task. 由于服务层已暴露于互联网，因此每个打开的门都会检查令牌以进行身份验证，并检查该令牌是否具有执行给定任务的适当权限。 The business layer could check again for a more specific right included in the token. 业务层可以再次检查令牌中包含的更具体的权限。

The advantages: 优点：

It didn't matter if we were using NetTcpBinding or any other type of binding (and we did use more than one type of binding). 如果我们使用NetTcpBinding或任何其他类型的绑定（我们确实使用了多种类型的绑定）并不重要。
We saved a lot of round trips to the database 我们节省了很多往返数据库的次数
We could use the same token on different platforms 我们可以在不同的平台上使用相同的令牌

I know it probably doesn't answer your specific questions, but it will maybe give you some for food for thought while you're still deciding on the intra-layer architecture of your system. 我知道它可能没有回答你的具体问题，但是当你仍在决定你的系统的层内架构时，它可能会给你一些值得思考的东西。