2

我有一个带有 netTcpBinding 绑定的自托管 WCF 服务。我的服务器和客户端都在同一个域中,所以我想使用 Windows 身份验证,但我也希望客户端验证服务器凭据(以避免内部中间人/dns 篡改攻击)。我读过这样做的方法是使用 SPN,但我似乎无法让它发挥作用;无论 spn 设置为客户端工作(即服务器和客户端不匹配,但客户端仍然连接)。显然我有某种配置错误,但我不确定在哪里。这是服务器的服务配置:

<system.serviceModel>
<services>
  <service name="AaaAuthService.AaaAuthService" behaviorConfiguration="AaaAuthServiceBehavior">
    <endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IAaaAuth" contract="AAA.IAaaAuthService">
      <!--
      <identity>            
        <servicePrincipalName value="AaaShlkjhlkjjjjhhhhjjpn/justink-pc.sgasdf1.allamericanasphaltasdf.casdfom"/>
      </identity>
      -->
    </endpoint>
    <host>
      <baseAddresses>
        <add baseAddress="net.tcp://localhost:9000/IAaaAuthService"/>
      </baseAddresses>
    </host>
    </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="AaaAuthServiceBehavior">
      <serviceThrottling maxConcurrentCalls="2147483647" maxConcurrentInstances="2147483647" maxConcurrentSessions="2147483647"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <netTcpBinding>
    <binding name="NetTcpBinding_IAaaAuth" closeTimeout="00:00:20" openTimeout="00:00:10" receiveTimeout="00:00:10" sendTimeout="00:00:10" hostNameComparisonMode="StrongWildcard" maxConnections="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>
        <message clientCredentialType="Windows"/>
      </security>
    </binding>
  </netTcpBinding>
</bindings>

Windows 凭据似乎确实传入了 - OperationContext.Current.ServerSecurityContext.WindowsIdentity 填充了帐户信息。

我在这里想念什么?

4

0 回答 0