.NET:通过传输层传输用户凭据

发布于 2024-09-25 04:23:02 字数 188 浏览 6 评论 0原文

通过传输层传输用户凭据(Active Directory)的最佳/最简单方法是什么?

我有两个系统 A 和 B 与第 3 方消息层 C 连接。

有没有什么方法(在 .NET 中最好)以某种方式存储/序列化 A 侧经过身份验证的用户的凭据,通过 C 传输它,然后到在 B 端对其进行反序列化,然后使用反序列化的凭据调用下游系统 D?

What is the best/simplest way to transmit the user credentials (Active Directory) over the transport layer.

I have two systems A and B connected with a 3rd party message layer C.

Is there any way (preferable in .NET) to somehow store/serialize the credentials of the authenticated user on the side A, transmit it over the C, then to de-serialize it on side B and then to make a call to the downstream system D using the de-serialized credentials?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

朦胧时间 2024-10-02 04:23:02

要将凭证“骡子”到另一个可以由 AD 身份验证前端之一进行身份验证的系统,您需要一个模拟友好协议(例如 Kerberos)、原始凭证本身(有时称为“基本”或“用户名”) /password”,但在某些情况下也可以是类似 RSA 密钥对的东西)以及可选的用于包装这些凭证的框架(例如 WS-Sec、SAML)。

Windows LSA 生成的访问令牌仅在生成令牌的系统上有效 -如果您将令牌从一个系统序列化和反序列化到另一个系统,LSA 不会接受它作为该进程已由该目标系统进行身份验证并且有权访问系统上任何安全资源的证据。否则,您就会谈论一个遭受重放攻击的系统(从一个盒子中获取安全上下文并重放它 - 恶意或以其他方式,安全威胁模型不会关心 - 在另一个盒子上)。

因此,“最简单”的方法是让您的代码提示用户输入用户名和密码。这也是最容易出现安全缺陷的情况,如果他们的应用程序做了如此粗鲁的事情,任何有正确想法的组织都会感到窒息,但这是一个理论上的选择。

更好的办法是找到一种系统间通信的方法,包括对身份验证协议的嵌入式支持 - 请参阅 GSS-API,了解通常可在这些上下文中使用的跨平台 API。

To "mule" credentials to another system that can be authenticated by one of AD's authentication front-ends, you need either an impersonation-friendly protocol (such as Kerberos), the raw credentials themselves (sometimes referred to as "basic" or "username/password", but could also under certain circumstances be something like an RSA keypair) and optionally a framework in which to wrap those credentials (e.g. WS-Sec, SAML).

The access token generated by Windows' LSA is only valid on the system on which the token was generated - if you serialized and deserialized a token from one system to another, the LSA wouldn't accept it as proof that the process had been authenticated by that target system and had any right to access any secured resource on the system. Otherwise you'd be talking about a system subject to replay attacks (taking the security context from one box and replaying it - maliciously or otherwise, the security threat model wouldn't care - on another).

So the "easiest" way to do this is for your code to prompt the user to type in their username and password. This is also the scenario most subject to security flaws, and any right-minded organization would choke if their applications did something this crude, but it is a theoretical option.

Better would be to find a way for the inter-system communication to include embedded support for an authentication protocol - see GSS-API for one cross-platform API that is often serviceable in these contexts.

债姬 2024-10-02 04:23:02

这就是所谓的模拟,但如果没有底层系统的任何细节,我无法真正判断是否会支持这一点。

如果系统是基于WCF的,这绝对是可能的。此 MSDN 页面包含所有详细信息。

That is called impersonation, but without any details on the underlying systems, I cannot really tell if that will be supported.

If the system is based on WCF, this is definitely possible. This MSDN page contains all the details.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文