能否为 Windows 身份验证和匿名配置 IIS 托管的 WCF 服务?

发布于 2024-07-23 05:24:07 字数 1472 浏览 16 评论 0原文

我有一个小型 WCF Web 服务,与内置 WCF 服务主机一起使用,并由 Visual Studio 2008 内置开发 Web 服务器托管。

在这些托管环境中,我依赖 WCF 测试客户端来调用服务方法。

现在我在下一阶段的测试中遇到了问题:

我将其托管在我的 WinXP 开发计算机上的 IIS 5.1 中,我认为问题可能是我无法再继续使用 WCF 测试客户端。 发生的情况如下:

情况 1:“匿名访问”已选中(已启用)

WCF 测试客户端 UI 正常显示,显示 WebMethods 和 INVOKE 按钮。 然而,当我单击 INVOKE 时,它无法连接需要 Windows 身份验证的后端数据存储(第 3 方产品)。 我可以发布从product.DLL 返回的错误,但我认为它不相关。

情况 2:“匿名访问”未选中(禁用)

WCF 测试客户端 UI 甚至无法正确初始化。 我对此的研究告诉我,MEX(WS-元数据交换)需要“匿名访问”并且(显然)WCF 测试客户端需要 MEX。 以下是返回错误的关键片段:

Error: Cannot obtain Metadata from http://localhost/wcfiishost
The remote server returned an error: (401) Unauthorized.HTTP GET Error
URI: http://localhost/wcfiishost    
There was an error downloading 'http://localhost/wcfiishost'.    
The request failed with the error message:
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

有很多关于绑定选项、消息安全性等的解释,以及我真的不明白的东西。 以下是我的看法,但我希望得到您的意见:

(a) 因为我知道我的 WCF Web 服务必须配置为使用 Windows 身份验证,所以我得出结论,在 IIS 中托管我的服务时,我无法继续使用 WCF 测试客户端。 它对我来说实际上已经失去了用处。 我只需要花时间编写一个 Web 客户端,因为如果没有 Anonymous,WCFTestClient 将无法工作。

(或)

(b)如果WCF测试客户端和托管服务配置正确,则可以使用它(我只是不知道为此有什么特殊的配置技术)。

哪个是对的? 是时候停止使用 WCFTestClient 了,还是有办法同时使用 WCFTestClient? 预先感谢您的建议。

编辑:2009 年 6 月 11 日

我还能提供什么来帮助其他人帮助我解决这个问题吗?

I've got a small WCF webservice working with the built-in WCF Service Host and with hosting by the Visual Studio 2008 built-in development webserver.

I these hosting enviroments I have relied on the WCF Test Client for invoking the service methods.

Now I am running into problems with my next phase of testing:

I have it hosted in IIS 5.1 on my WinXP dev machine and I think maybe the problem is I cannot continue to use WCF Test Client anymore. Here is what's happening:

Case 1: "Anonymous Access" is CHECKED (ENABLED)

WCF Test Client UI comes up properly, exposing the WebMethods and the INVOKE button.
Yet when I click INVOKE it fails to connect with a backend data store (a 3rd party product) that requires Windows authentication. I could post the error I get back from the product.DLL but I don't think it is relevant.

Case 2: "Anonymous Access" is un-CHECKED (DISABLED)

WCF Test Client UI fails to even initialize properly. My researching of this tells me that MEX (WS-Metadata Exchange) requires "Anonymous Access" and (apparently) WCF Test Client requires MEX. Here are key snippets of the error being returned:

Error: Cannot obtain Metadata from http://localhost/wcfiishost
The remote server returned an error: (401) Unauthorized.HTTP GET Error
URI: http://localhost/wcfiishost    
There was an error downloading 'http://localhost/wcfiishost'.    
The request failed with the error message:
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

The are lots of explanations of binding options, message security, etc. and stuff I honestly do not understand. Here is my take on where I am but I would love your opinions:

(a) Because I know my WCF webservice MUST be configured to use Windows Authentication, I conclude I cannot continue to use the WCF Test Client when hosting my service in IIS. That it has effectively outlived it's usefulness to me. I will just have to take the time to write a web client because WCFTestClient won't work without Anonymous.

(or)

(b) It is possible to use WCF Test Client if it and the hosted service are configured propertly (I just don't know what the special configuration techniques are for this).

Which is correct? Time to stop using WCFTestClient or is there a way to have it both ways? Thanks in advance for your advice.

EDIT: 11 June 09

Is there anything else I can provide to help someone else help me on this question?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

东北女汉子 2024-07-30 05:24:07

我只是尝试进行相同的设置 - 但就我而言,一切似乎都工作得很好。

  • ASP.NET 网站
  • WCF 服务,使用 basicHttpBinding,无需任何特殊设置
  • IIS 应用程序,匿名 = 已启用且 Windows 身份验证 = 已启用(均已打开)

我可以使用 WcfTestClient 轻松连接到它并检索元数据,然后我可以调用它,没问题。

在我的服务功能中,我检查当前用户是否是已知用户,它是否被正确识别为 Windows 身份验证用户:

    ServiceSecurityContext ssc = ServiceSecurityContext.Current;

    if (ssc.IsAnonymous)
    {
        return "anonymous user";
    }
    else
    {
        if(ssc.WindowsIdentity != null)
        {
            return ssc.WindowsIdentity.Name;
        }

        if (ssc.PrimaryIdentity != null)
        {
            return ssc.PrimaryIdentity.Name;
        }
    }

    return "(no known user)";

我真的不知道,还需要检查什么(除了我在 Vista 上) IIS7)。 您是否有机会在您的服务代码中包含此代码来检查用户? 只是为了看看......

马克

I just tried to have the same setup - but in my case, everything seems to work just fine.

  • ASP.NET web site
  • WCF service, using basicHttpBinding without any special settings at all
  • IIS Application with anonymous = enabled and Windows authentication = enabled (both turned on)

I can easily connect to it with the WcfTestClient and retrieve the metadata, and I can then call it, no problem.

Inside my service function, I check to see whether the current user is a known user or not, it is correctly identified as a Windows authenticated user:

    ServiceSecurityContext ssc = ServiceSecurityContext.Current;

    if (ssc.IsAnonymous)
    {
        return "anonymous user";
    }
    else
    {
        if(ssc.WindowsIdentity != null)
        {
            return ssc.WindowsIdentity.Name;
        }

        if (ssc.PrimaryIdentity != null)
        {
            return ssc.PrimaryIdentity.Name;
        }
    }

    return "(no known user)";

I don't really know, what more to check for (except I'm on Vista with IIS7). Any chance you could include this code to check for the user in your service code? Just to see....

Marc

呆° 2024-07-30 05:24:07

马克,你的设置与约翰斯相差甚远。

John 使用 WSHttpBinding,该绑定使用 Windows 凭据进行消息模式传输。 Windows 身份验证未与 BasicHttpBinding 一起使用。 此外,John 禁用了 AnonymousAuthentication,这就是元数据交换 (mex) 失败的原因。

该调用甚至不会到达服务端函数内部,因为当我们尝试调用时会收到错误 401(未经授权)。

只需知道约翰,我有同样的问题,我正在尝试以某种方式为每个端点设置单独的绑定。 希望这会起作用。

Marc, your setup is not even close to Johns.

John uses WSHttpBinding that uses Windows Credentials for Message mode transport. The Windows Authentication isn't being used with BasicHttpBinding. Furthermore, John had AnonymousAuthentication disabled, which is why the Metadata Exchange (mex) is failing.

The call won't even reach inside the service side function, because we get a Error 401 (Unauthorized) when we try to call.

Just know John, I have the same issue, and I'm trying to somehow set up separate bindings per endpoint. Hopefully that will work.

机场等船 2024-07-30 05:24:07

当我设置这个问题的标题/主题并在这里陷入死胡同时,我在MSDN论坛中打开了相同的问题,但标题的重点有所不同(问题的内容基本相同)。

对我来说,真正的问题是如何在未设置匿名身份验证的情况下在 IIS 中使用 WCFTestClient(因为我的服务仅需要集成 Windows 身份验证)。

Mex 显然需要 Anonymous,并且默认情况下 WCFTestClient 似乎需要 Mex。 关键似乎是适应我仔细修改 web.config 文件。

无论如何,我让它与下面的 web.config 一起工作(MSDN 链接位于此处

<?xml version="1.0"?>
<configuration>

            <endpoint address="" 
                        binding="wsHttpBinding"
                        bindingConfiguration="wsBindingConfig"
                        contract="sdkTrimFileServiceWCF.IFileService">

                                 <identity>
                                    <dns value="localhost" />
                                 </identity>
            </endpoint>

            <endpoint address="basic" 
                        binding="basicHttpBinding"
                        bindingConfiguration="bindingConfig" 
                        contract="sdkTrimFileServiceWCF.IFileService" />
        </service>
    </services>

    <bindings>
        <basicHttpBinding>
            <binding name="bindingConfig">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </basicHttpBinding>

        <wsHttpBinding>
            <binding name="wsBindingConfig">
                <security mode="Transport">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>

        </serviceBehaviors>
    </behaviors>

When I set the title/subject of this question and reached a dead end here, I opened up the same issue in the MSDN forum with a different emphasis on the title (content of question essentially the same).

For me, the real issue was how to use WCFTestClient in IIS without Anonymous Authentication being set (because my service needed Integrated Windows Authentication only).

Mex apparently requires Anonymous and by default WCFTestClient seems to need Mex. The key seems to be accomodating both my doctoring up the web.config file carefully.

Anyway, I got it working with this web.config below (the MSDN link is here:

<?xml version="1.0"?>
<configuration>

            <endpoint address="" 
                        binding="wsHttpBinding"
                        bindingConfiguration="wsBindingConfig"
                        contract="sdkTrimFileServiceWCF.IFileService">

                                 <identity>
                                    <dns value="localhost" />
                                 </identity>
            </endpoint>

            <endpoint address="basic" 
                        binding="basicHttpBinding"
                        bindingConfiguration="bindingConfig" 
                        contract="sdkTrimFileServiceWCF.IFileService" />
        </service>
    </services>

    <bindings>
        <basicHttpBinding>
            <binding name="bindingConfig">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </basicHttpBinding>

        <wsHttpBinding>
            <binding name="wsBindingConfig">
                <security mode="Transport">
                    <transport clientCredentialType="Windows"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>

        </serviceBehaviors>
    </behaviors>

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文