使用 WindowsIdentity 的 WCF 服务?目录访问权限
我有一个使用模拟的 WCF 服务。我已经通过以下方法验证了是否使用了正确的身份,我将其添加到我的服务中以进行调试。
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public AuthUser GetUser()
{
AuthUser user = new AuthUser();
user.UserName = WindowsIdentity.GetCurrent().Name;
return user;
}
如果不指定 [OperationBehavior],我会收到 NT AUTHORITY\NETWORK SERVICE,正如我所期望的那样。通过该属性,我看到用户返回了我期望的 DOMAIN\DOMAINUSER。
该服务当前仍然返回错误,指出它无权执行以下行中的文件操作:
FileStream fs = new FileStream(filename, FileMode.Create,FileAccess.Write);
我已通过检查 Active Directory 组和成员身份验证该目录对域用户具有完全访问权限。
我已经在服务的 web.config 中定义了
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
如果相关,这是我的服务端绑定:
<wsHttpBinding>
<binding name="default" maxReceivedMessageSize="200000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
在 IIS 中启用了匿名访问,因为我让 WCF 处理身份验证。
I have a WCF Service that is using Impersonation. I have verified that the correct Identity is being used through the following method that I added to my service for purposes of debugging.
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public AuthUser GetUser()
{
AuthUser user = new AuthUser();
user.UserName = WindowsIdentity.GetCurrent().Name;
return user;
}
Without specifying the [OperationBehavior] I receive NT AUTHORITY\NETWORK SERVICE, as I'd expect. With the attribute I see the user returned that I expect DOMAIN\DOMAINUSER.
The service is currently still returning an error that it does not have access to perform file operations in the following line:
FileStream fs = new FileStream(filename, FileMode.Create,FileAccess.Write);
I have verified that the directory has Full Access for the domain user through checking the Active Directory groups and memberships.
I have defined <identity impersonate="true" /> in the web.config of the service and have defined this in the client-side code:
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
If relevant, this is my service-side binding:
<wsHttpBinding>
<binding name="default" maxReceivedMessageSize="200000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
Anonymous access is enabled in IIS as I'm letting WCF handle the authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于您尝试创建的文件位于网络共享上,因此模拟尝试进行两个网络跃点。一次从客户端到 WCF 服务,下一次从 WFC 服务到网络共享。默认情况下,模拟是不允许这样做的。它是必须在 Active Directory 中更改的策略。尝试写入本地文件系统上 WCF 服务所在的位置,它应该可以工作。
以下是 MSDN 详细信息的链接 http://msdn.microsoft.com/ en-us/library/ff649252.aspx 这篇文章可能会帮助您ASP.NET 中的模拟和委派
Since the file your are trying to create is on a Network share, the impersonation is trying to make two network hops. Once from the client to the WCF Service, and the next from the WFC sercvice to the network share. By default this is not allowed by impersonation. Its a policy that has to be changed in the Active Directory. Try writing to a location on the local file system where the WCF service is and it should work.
Here is a link to the MSDN details http://msdn.microsoft.com/en-us/library/ff649252.aspx and this post may help you Impersonation and Delegation in ASP.NET