尽管在 IIS7.5 中进行了配置,但 Web 服务似乎没有进行任何身份验证
问题
我有一个 WCF Web 服务,我将其作为 IIS7.5 中的 Web 服务托管。我希望这项服务只能由两个组访问。尽管似乎没有进行任何身份验证,但 Web 服务已成功运行。
我的印象是(阅读了大量证明这一点的 MSDN 页面),真正需要做的就是在应用程序站点上启用 Windows 身份验证,禁用匿名身份验证,在 web.config 中将模式设置为 windows 并添加允许/拒绝授权部分的规则,如下所示:
<system.web>
<authentication mode="Windows" />
<compilation debug="false" strict="false" explicit="true" targetFramework="4.0" />
<pages /> <!-- Omitted -->
<authorization>
<allow roles="Managers" />
<allow roles="Operations" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
完成上述步骤和 web.config 更改后,进入 IIS 中的授权页面并重新加载身份验证规则后,通过 WCFTestclient 调用服务显示它正在工作完美无缺。除非我不属于这两个组中的任何一个...
问题
看起来它只是让任何人进入。我的问题是:
- 有没有办法查看 Web 服务上通过和失败的身份验证检查? (如果是这样,我可以查看是否正在进行任何类型的身份验证)。
- 上面的内容看起来正确吗?这看起来有点简单,但考虑到 Microsoft 方法,如此标准的东西设置起来相当简单,这并不牵强。
底线
我有一个带有上述 web.config 文件的服务,以及一个安装并启用了 Windows 身份验证的 IIS7.5 实例。匿名身份验证已禁用。身份验证规则是为两个组定义的,可以访问,而所有其他组则被拒绝,但尽管我位于这些组中,但我可以访问该服务。
编辑:
所以我似乎可以进行身份验证。如果我只设置了“允许所有用户”规则,我就可以访问 Web 服务。如果我制定拒绝所有用户规则,我将不再具有访问权限。但是,如果我添加我的帐户(“domain\MyAccount”作为允许(无论 web.config 中的位置如何),我仍然无权访问。
我已经更改为到达这里, 在服务定义中添加了以下内容:
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Required)> _
在 web.config 中添加了以下内容:
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="*"/>
<allow users="sierra\cblissittekeps"/>
</authorization>
</system.web>
以及
<system.servicemodel>
<bindings>
<basicHttpBinding>
<binding name="ADServiceBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<system.servicemodel>
The Problem
I have a WCF webservice that I am hosting as a webservice in IIS7.5. I want this service to only be accessible by two groups. The webservice is running successfully, although there does not seem to be any authentication being done.
I was under the impression ( having read gobs of MSDN pages attesting to this) that all one really had to do was enable Windows Authentication on the Application site, disable Anonymous Authentication, set the mode to windows in the web.config and add Allow/Deny rules to the authorization section as diaplayed below:
<system.web>
<authentication mode="Windows" />
<compilation debug="false" strict="false" explicit="true" targetFramework="4.0" />
<pages /> <!-- Omitted -->
<authorization>
<allow roles="Managers" />
<allow roles="Operations" />
<deny users="*" />
<deny users="?" />
</authorization>
</system.web>
With the above steps and web.config changes done, and after going to the Authorization page in IIS and reloading the Auth rules, calling the service through the WCFTestclient shows it working flawlessly. Except I am not part of either of those two groups...
The Questions
It looks like it is just letting anyone in. My questions are these:
- Is there a way to see passed and failed authentication checks on the webservice? (If so, I can see if any kind of authentication is going on).
- Does the above look correct? It seems a bit simple, but given the Microsoft Method, it is not far fetched that something so standard would be fairly simple to set up.
Bottom-line
I have a service with the above web.config file, and an IIS7.5 instance with Windows Authentication installed and enabled. Anonymous Authentication is disabled. Auth rules are defined for two groups to have access, and all others to be denied and yet despite the fact that I am in those groups, I can access the service.
EDIT:
So I appear to have authentication working. If I only have the Allow All Users rule in place, I have access to the webservice. If I enact a Deny All Users rule, I no longer have access. However, if I add my account ("domain\MyAccount" as an allow (regardless of position in the web.config) I still don't have access.
What I have changed to get here,
Added the following to the service definition:
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Required)> _
Added the following to the web.config:
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="*"/>
<allow users="sierra\cblissittekeps"/>
</authorization>
</system.web>
and
<system.servicemodel>
<bindings>
<basicHttpBinding>
<binding name="ADServiceBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<system.servicemodel>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧!显然,我在原始帖子中采取的步骤实际上还不够。您必须将 aspnetcompatabilityrequirements 属性添加到服务类(实现您的服务 iterface),您必须将 aspNetCompatibility 属性添加到 serviceHostingEnvironment 标记:
而且,似乎没有人提到的事情,您的允许/拒绝规则的顺序有所作为。在拒绝所有用户之后添加允许意味着所有用户仍被拒绝。放在前面意味着除了允许的用户之外的所有用户都被拒绝。
Alright! So apparently the steps I took in the original post are not in fact enough. You have to add that aspnetcompatabilityrequirements attribute to the service class (which implements your service iterface), you have to add to the serviceHostingEnvironment tag an aspNetCompatibility attribute:
And, something that no-one seems to mention, the order of your Allow/Deny rules makes a difference. Adding an allow AFTER a Deny All Users means that all users are still denied. Putting it before means that all users are denied except the ones in the allow.