从不在域上的客户端连接到域上托管的 WCF 服务

发布于 2024-10-20 05:26:18 字数 212 浏览 5 评论 0原文

我想要一个示例或解释,说明当客户端不在域中时如何将客户端连接到 wcf 服务。

我想有一种方法可以指定客户端的域凭据,并且 wcf 服务可以与权限 (dc) 通信以查看客户端是否安全。

我按照 msdn 上的示例进行操作,可以连接以查看元数据(可用的方法),但是在使用 wshttpbinding 时,我收到“从另一方收到不安全或不正确安全的错误”。

提前致谢!

I would like an example or explanation of how to connect a client to a wcf service when the client is not on the domain.

I imagine there is a way to specify domain credentials with the client and the wcf service could talk to the authority (dc) to see if the client is secure.

I followed the examples on the msdn and can connect to see the metadata (methods available) but when using wshttpbinding I get "An unsecured or incorrectly secured fault was received from the other party".

Thanks in advance!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

友欢 2024-10-27 05:26:18

默认情况下,wsHttpBinding 将使用 Windows 凭据 - 仅当您的服务和调用客户端都是同一域的成员(或具有相互信任关系的域的成员)时,这才有效。

如果您想使用用户名/密码进行身份验证,则需要执行许多操作:

  • 服务需要证书来向调用者验证自身身份,并提供用于交换用户名/密码和消息的加密机制。因此,您需要创建一个安全证书并将其安装在服务器计算机上,并进行配置:

    ;
      <行为>
         <服务行为>
            <行为名称=“互联网”>
                <服务凭证 
                     findValue =“我的服务证书”
                     storeLocation =“本地机器”
                     店名=“我的”
                     X509FindType="FindBySubjectName" />
            
         <服务行为>
      <行为>
      <服务>
          <服务名称=“MyService”behaviorConfiguration=“Internet”>
             ......
         
      
    
    
  • 客户端需要设置一个配置来定义具有消息安全性的wsHttpBinding以及用户名/密码客户凭证

    ;
      <绑定>
         ;
            <绑定名称=“UserNameWS”>
                <安全模式=“消息”>
                    
                
            
         ;
      <绑定>
      <客户端>
          <端点名称=“默认”
              地址=“…………”
              绑定=“wsHttpBinding”绑定配置=“UserNameWS”
              合同=“…………”/>
      
    
    
  • 在服务器端,您需要设置一个验证这些用户名/密码的机制 - 通常,最简单的方法是使用 ASP.NET 会员系统

    ;
      <行为>
         <服务行为>
            <行为名称=“互联网”>
                <用户名验证
                    userNamePasswordValidationMode="MembershipProvider" /> >
                <服务凭证 
    
       ……
    
    
  • 每次客户端调用之前 使用 ASP.NET 会员系统,您需要在客户端代理上设置用户名/密码(这是您无法在配置中执行的少数操作之一 - 仅适用于代码)。

    proxy.ClientCredentials.UserName.UserName = "您的用户名";
    proxy.ClientCredentials.UserName.Password = "Top$Secret";
    

请访问 Codeplex 上的 WCF 安全指南 站点,了解有关 WCF 安全性的所有信息。

By default, wsHttpBinding will use Windows credentials - this only works if both your service and your calling client are member of the same domain (or member of domains with a mutual trust relationship).

If you want to authenticate using username/password, there's a number of things you need to do:

  • the service needs a certificate to authenticate itself to the caller, and to provide an encryption mechanism for the exchange of username/passwords and messages. So you will need to create a security certificate and install it on the server machine, and configure it:

    <system.serviceModel>
      <behaviors>
         <serviceBehaviors>
            <behavior name="Internet">
                <serviceCredentials 
                     findValue="MyServiceCertificate"
                     storeLocation="LocalMachine"
                     storeName="My"
                     X509FindType="FindBySubjectName" />
            </behavior>
         <serviceBehaviors>
      <behaviors>
      <services>
          <service name="MyService" behaviorConfiguration="Internet">
             ......
         </service>
      </services>
    </system.serviceModel>
    
  • the client needs to set up a config that defines wsHttpBinding with message security, and username/password client credentials

    <system.serviceModel>
      <bindings>
         <wsHttpBinding>
            <binding name="UserNameWS">
                <security mode="Message">
                    <message clientCredentialType="UserName" />
                </security>
            </binding>
         <wsHttpBinding>
      <bindings>
      <client>
          <endpoint name="Default"
              address="........."
              binding="wsHttpBinding" bindingConfiguration="UserNameWS"
              contract="........." />
      </client>
    </system.serviceModel>
    
  • on the server side, you need to set up a mechanism to authenticate those username/passwords - typically, the easiest way is to use the ASP.NET membership system

    <system.serviceModel>
      <behaviors>
         <serviceBehaviors>
            <behavior name="Internet">
                <userNameAuthentication
                    userNamePasswordValidationMode="MembershipProvider" />
                <serviceCredentials 
    
       .....
    </system.serviceModel>
    
  • before each call from the client, you need to set the username/password on your client-side proxy (this is one of the few things you cannot do in config - works only in code).

    proxy.ClientCredentials.UserName.UserName = "YourUserName";
    proxy.ClientCredentials.UserName.Password = "Top$Secret";
    

Read all about WCF security at the WCF Security Guidance site on Codeplex.

忆依然 2024-10-27 05:26:18

错误消息“从另一方收到不安全或不正确安全的故障”是一个相当具有误导性的消息。常见原因是客户端和服务器之间的绑定配置不同。检查服务端 web.config 的 system.serviceModel 部分,并修改您的客户端设置以匹配。

The error message "An unsecured or incorrectly secured fault was received from the other party" is a rather misleading one. A common cause is a difference in the bindings configuration between the client and the server. Check the system.serviceModel section of the web.config at the service side, and modify your client settings to match.

怀中猫帐中妖 2024-10-27 05:26:18

您可以访问元数据但无法调用服务的原因是您可能正在使用默认配置的 WsHttpBinding。它使用仅涉及服务使用的消息安全性,而不涉及服务元数据。它使用 Windows 凭据和 Windows 安全性来加密和签署消息。由于 Windows 安全性,它仅当客户端和服务器位于同一域时才有效。

您的客户端不是域的一部分 - 您可以使用消息安全性或传输安全性发送 Windows 凭据。为了保证消息安全,您必须使用默认密码验证器 clientCredentialType="UserName",并且您必须在服务行为中配置 X509 证书以支持加密和签名。在传输安全的情况下,将使用 HTTPS(在 http.sys/IIS 中配置的 X509 证书)或 TransportCredentialOnly 模式,该模式将通过 HTTP 以纯文本形式发送 Windows 用户名和密码(这是糟糕的解决方案) 。如果是传输安全设置 clientCredentialType="Basic"

The reason why you can access metadata and cannot call service is that you are using WsHttpBinding probably with default configuration. It uses message security wich is involved only for service usage - not service metadata. It uses Windows credentials and Windows security to encrypt and sign message. Because of Windows security it works only when both client and server are on the same domain.

Your client is not part of domain - you can send windows credentials either with message security or transport security. In case of message security you will have to use clientCredentialType="UserName", default password validator and you will have to configure X509 certificate in service behavior to support encryption and signing. In case of transport security will either use HTTPS (X509 certificate configured in http.sys/IIS) or TransportCredentialOnly mode which will send windows user name and password as a plain text over HTTP (this is bad solution). In case of transport security set clientCredentialType="Basic".

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文