IIS7 上 WCF 服务上的 wsHttpBinding 仅使用 Windows 身份验证
在 IIS7 上拥有托管 WCF 服务 .net 3.5sp1,并使用运行应用程序池的域帐户。我想要关闭 Windows 身份验证、wsHttpBinding 和匿名。删除了 mex 端点,设置了消息安全性,但仍然得到:
此服务的安全设置需要“匿名”身份验证,但没有为托管此服务的 IIS 应用程序启用它。
我已经尝试了大约 50 种不同的方法web.config 配置,但没有什么乐趣。
当前的 web.config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="PressReleaseService.PRBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="PressReleaseService.PRBehavior" name="PressReleaseService.PR">
<endpoint address="" binding="wsHttpBinding" contract="PressReleaseService.IPR">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPR" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="false"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
此外,还有另一个服务在同一应用程序池下运行,其中包含 mex,具有用于主端点的 wsHTTPBinding,并且仅在 IIS 中启用了 Windows 身份验证。
有什么线索吗?
Have a hosted WCF service, .net 3.5sp1 on IIS7, with a domain account running the application pool. I want windows authentication, wsHttpBinding, and anonymous turned off. Removed the mex endpoint, set message security, but still getting:
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.
I have tried about 50 different web.config configurations, but no joy.
Current web.config:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="PressReleaseService.PRBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="PressReleaseService.PRBehavior" name="PressReleaseService.PR">
<endpoint address="" binding="wsHttpBinding" contract="PressReleaseService.IPR">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IPR" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="false"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
Additionally, there is another service running under the same application pool, it has mex in it, has wsHTTPBinding for the primary endpoint, and it ONLY has windows authentication enabled in IIS.
Any clues?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
IIS7 中的解决方案:
web.config 文件中的以下行:
要求对 .svc 文件进行匿名访问以进行 http 访问。要授予此权限,请打开 IIS 管理器并禁用匿名身份验证并在应用程序顶部启用 Windows 身份验证。然后,进入“内容视图”选项卡并右键单击您的 .svc 文件。选择“切换到功能视图”。这将导致 .svc 文件被添加到左侧的目录树中。从那里,您可以转到 IIS 下的“身份验证”并将匿名身份验证设置为启用。现在您可以匿名访问 mex 端点(我将其添加回来),但在其他地方都可以进行 Windows 身份验证。其结果是 c:\Windows\System32\inetsrv\config\applicationHost.config 文件发生如下更改:
The solution in IIS7:
The following line in the web.config file:
requires that anonymous access be given to the .svc file for http access. To grant this, open IIS Manager and disable Anonymous authentication and enable Windows authentication at the top of your application. Then, go into the 'Content View' tab and right click on your .svc file. Select 'Switch to Features View'. This will cause the .svc file to be added to the directory tree on the left. From there, you can go to 'Authentication' under IIS and set Anonymous Authentication to enabled. Now you have Anonymous access to the mex endpoint (I added it back in), but have windows authentication everywhere else. The result of this is a change in the c:\Windows\System32\inetsrv\config\applicationHost.config file that looks like this:
您必须使用传输安全将身份验证委托给 IIS,并使用您在 IIS 中配置的设置。在本例中为 Windows 身份验证。
<安全模式=“传输”>
<传输 clientCredentialType ="Windows"/>
使用 clientCredentialType 进行消息身份验证意味着您希望使用 kerberos 实现消息安全,因此在 IIS 上只应启用匿名。
You have to use Transport Security to delegate authentication to IIS and use the settings you configured in your IIS. Windows Authentication in this case.
<security mode="Transport">
<transport clientCredentialType ="Windows"/>
</security>
Message authentication with clientCredentialType means that you want to message security with kerberos so only anonymous should be enabled on IIS.