[英]Windows Authentication using WCF and Self Hosting
我已經開發了一個非常簡單的主機和客戶端,我想用它來測試WCF客戶端是否可以將登錄Windows的用戶憑據傳遞給主機服務,而無需用戶重新輸入憑據或設置安全性。
我的主機配置如下所示:
<configuration>
<system.serviceModel>
<services>
<service name="WCFTest.CalculatorService" behaviorConfiguration="WCFTest.CalculatorBehavior">
<host>
<baseAddresses>
<add baseAddress = "http://localhost:8000/WCFTest/CalculatorService/" />
<add baseAddress = "net.tcp://localhost:9000/WCFTest/CalculatorService/" />
</baseAddresses>
</host>
<endpoint address ="basicHttpEP" binding="basicHttpBinding" contract="WCFTest.ICalculatorService" bindingConfiguration="basicHttpBindingConfig"/>
<endpoint address ="netTcpEP" binding="netTcpBinding" contract="WCFTest.ICalculatorService"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingConfig">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="WCFTest.CalculatorBehavior">
<serviceAuthorization impersonateCallerForAllOperations="false" principalPermissionMode="UseWindowsGroups" />
<serviceCredentials >
<windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
我的客戶端配置如下所示:
<configuration>
<configSections>
<sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="WCFClient.Settings1" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
</sectionGroup>
</configSections>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ICalculatorService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<netTcpBinding>
<binding name="NetTcpBinding_ICalculatorService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="http://ldndwm286380:8000/WCFTest/CalculatorService/basicHttpEP"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ICalculatorService"
contract="CalcService.ICalculatorService" name="BasicHttpBinding_ICalculatorService" />
<endpoint address="net.tcp://ldndwm286380:9000/WCFTest/CalculatorService/netTcpEP"
binding="netTcpBinding" bindingConfiguration="NetTcpBinding_ICalculatorService"
contract="CalcService.ICalculatorService" name="NetTcpBinding_ICalculatorService">
</endpoint>
</client>
</system.serviceModel>
<userSettings>
<WCFClient.Settings1>
<setting name="Setting" serializeAs="String">
<value>True</value>
</setting>
</WCFClient.Settings1>
</userSettings>
</configuration>
我的客戶代碼是:
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Press enter to start");
Console.ReadLine();
CalcService.ICalculatorService httpCalcService = new CalcService.CalculatorServiceClient("BasicHttpBinding_ICalculatorService");
Console.WriteLine(httpCalcService.AddValues(new int[] { 1, 2, 3 }).Value);
Console.ReadLine();
CalcService.ICalculatorService TcpCalcService = new CalcService.CalculatorServiceClient("NetTcpBinding_ICalculatorService");
Console.WriteLine(httpCalcService.AddValues(new int[] { 5, 10, 15 }).Value);
Console.ReadLine();
}
}
如果我在PC上運行客戶端,這將很好地工作。 如果我在同事的PC上運行客戶端,則會在客戶端上獲得此異常堆棧:
未處理的異常:System.ServiceModel.Security.MessageSecurityException:使用客戶端身份驗證方案“協商”對HTTP請求進行了未授權的處理。 從服務器收到的身份驗證標頭是'Nootiate oX0we6ADCgEBonQEcm BwBgkqhkiG9xIBAgIDAH5hMF + gAwIBBaEDAgEepBEYDzIwMTAwMzExMTAzNjAzWqUFAgMEDFimAwIBKakGgXJJL1QQQ5K ---> System.Net.WebException:遠程服務器返回錯誤:(401)未授權。 ---> System.ComponentModel.Win32Exception:目標主體名稱在System.Net.NTAuthentication.GetOutgoingBlob(Byte [] entryBlob,Boolean throwOnError,SecurityStatus&statusCode)處不正確
在System.Net.NegotiateClient.DoAuthenticate(字符串質詢,WebRequest WebRequest,ICredentials憑據,Boole的preAuthenticate)中的System.Net.NTAuthentication.GetOutgoingBlob(String傳入的Blob)處在System.Net.NegotiateClient.Authenticate(字符串質詢,WebRequest WebRequest,ICredentials中) System.Net.AuthenticationManager.Authenticate(字符串質詢,WebRequest請求,ICredentials憑據)處System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest,ICredentials authInfo)處System.Net.HttpWebRequest.CheckResubmitForAuth()。 HttpWebRequest.CheckResubmit(Exception&e)-內部異常堆棧跟蹤的結尾--在System.Net.HttpWebRequest.GetResponse()在System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)- -內部異常堆棧跟蹤結束-
任何幫助表示贊賞,
謝謝,
缺口
在客戶端的配置中,您需要在'endpoint'元素內添加一個附加元素,以指定運行該服務的主體。 這是一個例子:
<identity>
<servicePrincipalName value="user@mydomain.com" />
</identity>
在客戶端和主機之間建立通道時,這應允許進行正確的身份驗證。 如果該服務在其他帳戶下運行,則需要相應地調整該值(即,如果使用系統帳戶作為Windows服務運行,則類似於“ host / mymachine.mydomain.com”)。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.