在经过声明身份验证的 SharePoint 2010 中托管的 WCF 服务中的模拟

发布于 2024-10-25 06:25:56 字数 368 浏览 6 评论 0原文

我有一个 WCF 服务,它使用 wsHttpBinding 以及消息安全和 Windows 身份验证。

控制台应用程序服务客户端能够调用该服务,并且我可以看到 ServiceSecurityContext.Current.WindowsIdentity 和 Thread.CurrentPrincipal.Identity 都代表正确的用户。

正如预期的那样,当前的主体是 IClaimsIdentity。

当我尝试打开 SharePoint 网站时出现问题:我收到访问被拒绝错误,表明模拟的身份无法传递到数据库或共享点服务器。不过,这一切都在同一台机器上,因此不应该存在任何双跳身份验证问题。

这不是对索赔应用程序中托管的服务进行无头身份验证的正确方法吗?

I have a WCF service which uses wsHttpBinding with message security and windows authentication.

A console application service client is able to call the service, and I can see that both the ServiceSecurityContext.Current.WindowsIdentity and Thread.CurrentPrincipal.Identity represent the right user.

The currentprincipal is a IClaimsIdentity, as expected.

The problem occurs when I try to open a SharePoint web: I get an access denied error suggesting that the impersonated identity can't be passed to the database or sharepoint server. This is all with in the same machine though, so there shouldn't be any double-hop authentication issues.

Is this not the correct way of doing headless authentication against a service hosted in a claims application?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

你的背包 2024-11-01 06:25:56

我目前在支持声明的 SharePoint 2010 网站中部署了 WCF 服务。 WCF 服务并不奇特,我使用提供的 Microsoft.SharePoint.Client.Services.MultipleBaseAddressBasicHttpBindingServiceHostFactory 作为 WCF 服务工厂。因此,我使用工厂提供的开箱即用的 BasicHttpBinding。

我的客户端 app.config 如下所示:

<configuration>
  <system.serviceModel>
    <bindings>
      <binding name="BasicHttpBinding_MyServices" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferSize="200524288" maxBufferPoolSize="200524288" maxReceivedMessageSize="200524288"
        messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
        useDefaultWebProxy="true">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
          <message clientCredentialType="UserName" algorithmSuite="Default" />
        </security>
      </binding>
    </bindings>
    <client>
      <endpoint address="http://localhost/_vti_bin/MyServices/MyService.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyServices"
        contract="ServiceClient.MyService.IMyService"
        name="BasicHttpBinding_IMyService" />
    </client>
  </system.serviceModel>
</configuration>

当查看我的 Thread.CurrentPrincipal.Identity 时,它是正确的。它是我当前执行用户的 ClaimsIdentity。然后,我可以简单地打开一个新的 SPSite 实例,而无需创建或使用 SPUserToken。

需要注意的一件关键事情是:在连接到 WCF 服务之前,我不会冒充我的身份。如果这就是您正在做的事情,那么除非您的 SharePoint 服务器与您的声明提供者建立了信任,否则它不太可能起作用。

I currently have WCF services that are deployed in a claims-enabled SharePoint 2010 site. The WCF services are nothing fancy and I use the provided Microsoft.SharePoint.Client.Services.MultipleBaseAddressBasicHttpBindingServiceHostFactory as the WCF service factory. Thus, I'm using the out-of-the-box BasicHttpBinding provided through the factory.

My client app.config looks as follows:

<configuration>
  <system.serviceModel>
    <bindings>
      <binding name="BasicHttpBinding_MyServices" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
        maxBufferSize="200524288" maxBufferPoolSize="200524288" maxReceivedMessageSize="200524288"
        messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
        useDefaultWebProxy="true">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
          <message clientCredentialType="UserName" algorithmSuite="Default" />
        </security>
      </binding>
    </bindings>
    <client>
      <endpoint address="http://localhost/_vti_bin/MyServices/MyService.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyServices"
        contract="ServiceClient.MyService.IMyService"
        name="BasicHttpBinding_IMyService" />
    </client>
  </system.serviceModel>
</configuration>

When looking at my Thread.CurrentPrincipal.Identity, it's correct. It is a ClaimsIdentity with my currently executing user. I can then simply open a new SPSite instance without having to create or utilize an SPUserToken.

One key thing to note: I don't impersonate my identity before connecting to the WCF service. If this is what you're doing, it's not likely to work unless your SharePoint server has an established trust with your claims provider.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文