[英]Share windows identity between WCF services with WSDualHttpBinding
我在IIS 7中分別托管了兩個WCF服務。第一個服務可從外部調用,並使用帶有Windows身份驗證的WebHttpBinding
。 第二個服務僅由第一個使用WsDualHttpBinding
。
調用第一個服務時,我可以從ServiceSecurityContext.Current.WindowsIdentity.Name
獲取用戶的Windows名稱。 在第二個服務中,該服務無效,並且ServiceSecurityContext.Current.WindowsIdentity.Name
只是IIS APPPOOL\\DefaultAppPool
。
我將WsDualHttpBinding
配置為使用Windows身份驗證,但這沒有幫助。 這是服務器端配置:
<wsDualHttpBinding>
<binding name="internalHttpBinding">
<security mode="Message">
<message clientCredentialType="Windows"/>
</security>
</binding>
</wsDualHttpBinding>
這是第一個服務中與第二個服務建立通信的代碼:
private WSDualHttpBinding binding = new WSDualHttpBinding();
private ChannelFactory<IMyService> factory;
public IMyService Contract { get; set; }
public MyServiceCallback Callback { get; set; }
public MyService(Uri uri)
{
EndpointAddress address = new EndpointAddress(uri);
Callback = new MyServiceCallback();
var instanceContext = new InstanceContext(Callback);
binding.Security.Mode = WSDualHttpSecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
factory = new DuplexChannelFactory<IMyService>(instanceContext, binding, address);
factory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
Contract = factory.CreateChannel();
// Call operations on Contract
}
如何配置第一個服務以將用戶身份傳遞給第二個服務?
傳遞身份驗證似乎是一個問題。 首先,您需要處於Active Directory環境中。 必須使用Kerberos進行身份驗證,NTLM無法正常工作。 您可以使用klist進行檢查: https : //docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/klist
可能這篇文章可以幫助您:
這是: https : //docs.microsoft.com/zh-cn/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf
在服務器端啟用模擬並且客戶端設置了Windows憑據之后,
ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
client.ClientCredentials.Windows.ClientCredential.UserName = "Test";
client.ClientCredentials.Windows.ClientCredential.Password = "123456";
我們可以使用以下代碼來檢索正在運行的Windows帳戶。
if (ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation ||
ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation)
{
using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
Console.WriteLine("Impersonating the caller imperatively");
Console.WriteLine("\t\tThread Identity :{0}",
WindowsIdentity.GetCurrent().Name);
Console.WriteLine("\t\tThread Identity level :{0}",
WindowsIdentity.GetCurrent().ImpersonationLevel);
Console.WriteLine("\t\thToken :{0}",
WindowsIdentity.GetCurrent().Token.ToString());
}
}
請參考以下示例。
https://docs.microsoft.com/en-us/dotnet/framework/wcf/samples/impersonating-the-client
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf
請隨時告訴我是否有什么我可以幫助的。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.