WCF 服务跨域身份验证问题
我是 WCF 及其安全性的新手,因此正在寻求一些帮助来解决我遇到的问题。
我有一个 WCF 服务,要部署到小域中的每台计算机。 WCF 服务将托管在 Windows 服务中,因为它包含需要提升调用的方法。该服务目前还很草稿(它公开了元数据 - 但我相信稍后会关闭它 - 这可能吗?)。它使用 net.tcp 绑定 - 服务的 App.Config 如下所示:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service behaviorConfiguration="SvcBehavior" name="Microsoft.ServiceModel.Samples.Svc">
<endpoint address="" binding="netTcpBinding"
contract="Microsoft.ServiceModel.Samples.ISvc" />
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://*:8100/ServiceModelSamples/service" />
</baseAddresses>
<timeouts closeTimeout="00:10:00" openTimeout="00:10:00" />
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SvcBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
对于客户端,我有一个 Winforms C# 应用程序。该应用程序提供 2 个功能,它从服务中提取静态信息,然后为用户提供身份验证和调用管理方法的选项。因此,身份验证是在客户端级别完成的。
我正在使用 Channelfactory 连接到服务,因为主机名是可变的(在客户端启动时提示用户输入)并且客户端的 app.config 文件如下所示 - 它实际上是空的:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
</bindings>
<client />
</system.serviceModel>
</configuration>
Channelfactory 代码是:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(Namespace = "http://Microsoft.ServiceModel.Samples", ConfigurationName = "ISvc")]
ChannelFactory<ISvc> myChannelFactory = new ChannelFactory<ISvc>(new NetTcpBinding(), "net.tcp://" + HostName + ":8100/ServiceModelSamples/service");
public static ISvc client = null;
我有一个也描述服务中的方法的接口。
我遇到的主要问题是这个。假设有 Machine1 和 Machine2 在 domainA 上运行。假设Machine1 托管服务,Machine2 运行客户端。
当我使用域帐户 domainA\User 连接到服务时,该服务工作正常,但说我在 Machine2 上有一个本地用户,并且希望以 < em>Machine2\LocalUser,我收到以下错误消息:
服务器已拒绝客户端凭据。
我尝试尝试将安全模式设置为无(不是我热衷于做的事情),但随后我收到一条错误消息,指出客户端和服务配置不匹配。
我可以做些什么来解决这个问题吗?另外,如果在 domainA\Machine1 上运行的服务被来自另一个域的用户调用 - 例如 domainB\User2 ,会发生什么?
提前致谢 - 我很高兴对此有一些见解!
查达
I'm new to WCF and its security so was looking for some help on a problem I'm having.
I have a WCF service that to be deployed to every machine in a small domain. The WCF service is to be hosted in a Windows Service since it has methods in it that need to be invoked elevated. The service is very draft at the moment (it exposes meta-data - but I believe this is to be turned off later - is this possible?). It uses the net.tcp binding - The App.Config of the service is shown below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service behaviorConfiguration="SvcBehavior" name="Microsoft.ServiceModel.Samples.Svc">
<endpoint address="" binding="netTcpBinding"
contract="Microsoft.ServiceModel.Samples.ISvc" />
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://*:8100/ServiceModelSamples/service" />
</baseAddresses>
<timeouts closeTimeout="00:10:00" openTimeout="00:10:00" />
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="SvcBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
For a client, I have a Winforms C# application. The application serves 2 functions, it pulls static information from the service and then gives the user an option to authenticate and call the administrative methods. Therefore, the authentication is done at client level.
I am using Channelfactory to connect to the service since the hostname is variable (user is prompted for it on client start-up) and the app.config file for the client is shown below - its virtually empty:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
</bindings>
<client />
</system.serviceModel>
</configuration>
The channelfactory code is:
[System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
[System.ServiceModel.ServiceContractAttribute(Namespace = "http://Microsoft.ServiceModel.Samples", ConfigurationName = "ISvc")]
ChannelFactory<ISvc> myChannelFactory = new ChannelFactory<ISvc>(new NetTcpBinding(), "net.tcp://" + HostName + ":8100/ServiceModelSamples/service");
public static ISvc client = null;
I have an interface that descrives the methods in the service as well.
The main problem I am having is this. Say there is Machine1 and Machine2 running on domainA. Lets assume that Machine1 hosts the service and Machine2 runs the client.
When I connect to the service using a domain account domainA\User, the service works fine but say I have a local user on Machine2 and want to connect to the service as Machine2\LocalUser, I get the following error message:
The server has rejected the client credentials.
I have tried experimenting with setting the security mode to none (not something im keen on doing) but then I get an error saying the client and service have a configuration mismatch.
Is there something I can do to fix this? Also, what would happen if the service running on domainA\Machine1 was called by a user from another domain - say domainB\User2 ?
Thanks in advance - Id appreciate some insight into this!
Chada
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您关闭服务上的安全性,您也必须关闭客户端上的安全性。如果您在代码中配置客户端,则必须为 NetTcpBinding 的新实例设置与配置文件中的服务相同的配置。
当使用 Windows 安全性时(
NetTcpBinding的默认设置),MachineB 无法验证来自 MachineA 的本地帐户(有一些重复本地用户的技巧,但我不知道它们是否也适用于 WCF)。这就是您拥有域名的原因。跨域Windows身份验证需要域之间的信任。如果您需要对跨域用户或本地用户进行身份验证,则不能使用 Windows 身份验证。还有其他身份验证机制,但它们需要配置证书(至少在服务上)并使用客户端证书或用户名和密码进行客户端身份验证。
If you turn off security on the service you must turn in off on the client as well. If you configure client in code you must set the same configuration for new instance of
NetTcpBindingas you do on the service in configuration file.When Windows security is used (default for
NetTcpBinding) MachineB cannot authenticate local accounts from MachineA (there were some tricks with duplicate local users but I don't know if they work with WCF as well). That is why you have a domain. Cross domain windows authentication requires trust between domains.If you need to authenticate cross domain users or local users you cannot use Windows authentication. There are other authentication mechanism but they require configuring certificate (at least on the service) and use either client certificate or user name and password for client authentication.