WCF服务获取的调用者身份(网络服务帐户)已过时
我们有一个使用 TCP 绑定的 WCF 服务,托管在 Windows 服务中。 WCF 服务由 ASP.NET Web 应用程序调用。
当调用WCF服务时,我想检查调用身份是否是特定本地组的成员。实现此目的的几种方法是:
[PrincipalPermission(SecurityAction.Demand, Authenticated = true, Role = "MyGroupName")]
Thread.CurrentPrincipal.IsInRole("MyGroupName");
new WindowsPrincipal(ServiceSecurityContext.Current.WindowsIdentity).IsInRole("MyGroupName")
当我们的 ASP.NET Web 应用程序托管在 Windows 2003/IIS6 中时,它在 NETWORK SERVICE 帐户下运行。这意味着必须将 NETWORK SERVICE 添加到本地组中才能使 WCF 代码正确运行。但是,如果我将帐户添加到组,然后测试我的应用程序(使用上述任何方法来测试组成员身份),代码似乎认为 NETWORK SERVICE 不是该组的成员。
我编写了一个简单的 ASP.NET 页面来执行相同的组成员资格测试。我发现网页只能在我执行iisreset后才识别出NETWORK SERVICE已加入该组。但是,重置 IIS 不会对我的 WCF 服务产生任何影响。我什至尝试重新启动托管我的 WCF 服务的 Windows 服务,但没有任何区别。直到我重新启动计算机后,WCF 代码才意识到 NETWORK SERVICE 是该组的成员。
我试图理解为什么我的简单 ASP.NET 页面与 WCF 服务的行为会有所不同,特别是当它们使用相同的代码并且都报告相同的身份名称(NT AUTHORITY\NETWORK SERVICE)时。有谁知道吗?
在 Windows 2008(我的 Web 应用程序也在网络服务下运行)或 Windows 2008 R2(它作为应用程序池标识帐户运行)上不会出现此问题。
感谢您的帮助!
We have a WCF service using TCP binding, hosted in a Windows service. The WCF service is called by an ASP.NET web application.
When the WCF service is called, I would like to check whether the calling identity is a member of a particular local group. A few ways to do this are:
[PrincipalPermission(SecurityAction.Demand, Authenticated = true, Role = "MyGroupName")]
Thread.CurrentPrincipal.IsInRole("MyGroupName");
new WindowsPrincipal(ServiceSecurityContext.Current.WindowsIdentity).IsInRole("MyGroupName")
When our ASP.NET web application is hosted in Windows 2003/IIS6, it runs under the NETWORK SERVICE account. This means that NETWORK SERVICE must be added to the local group in order for the WCF code to run correctly. However, if I add the account to the group and then test my application (using any of the approaches above to test for group membership), the code seems to think that NETWORK SERVICE is not a member of the group.
I wrote a simple ASP.NET page that performed the same group membership tests. I found that the web page would only recognise that NETWORK SERVICE had joined the group after I performed an iisreset. However, resetting IIS does not make any difference to my WCF service. I even tried restarting the Windows service that hosts my WCF service, and it made no difference. It was only once I restarted the computer that the WCF code realised that NETWORK SERVICE was a member of the group.
I am trying to understand why there would be a difference in the behaviour of my simple ASP.NET page versus my WCF service, particularly when they are using the same code and they both report the same identity name (NT AUTHORITY\NETWORK SERVICE). Does anyone know?
This problem does not occur on Windows 2008 (where my web application is also running under NETWORK SERVICE) or on Windows 2008 R2 (where it is running as the application pool identity account).
Thanks for any help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论