1

我有以下基础设施:

  • 计算机 #1,Microsoft SQL Server 2008,在系统帐户下启动。有登录Master\MyLogin(使用 Windows Authintification),服务器角色 = sysadm,数据库角色 = db_owner

  • 计算机#2,IIS 7.0 上的 WCF 服务。应用程序和站点在帐户下运行Master\IISLogin(IISLogin@myDomain.ru)

配置:

<configuration>
  <system.web>
    <compilation debug="true" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <services>
      <service behaviorConfiguration="CommonBehavior" name="MyNameSpace.AdminService">
        <endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="IAdminServiceWindows" contract="MyNameSpace.IAdminService">
          <identity>
            <dns value="WCFServer" />
            <userPrincipalName value="IISLogin@myDomain.ru"/>
          </identity>
        </endpoint>
      </service>
    </services>
    <behaviors>
  <serviceBehaviors>
    <behavior name="CommonBehavior">
      <dataContractSerializer maxItemsInObjectGraph="10000000" />
      <serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>
        <serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyClassFullName, MyDllFullName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

服务有方法

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public bool HasRole(string roleName)
{
     //work with database
}

它首先使用 EF 5.0 数据库。连接字符串

"Data Source=Computer1; Initial Catalog=myDB; Integrated Security=True; Multipleactiveresultsets=True; Persist Security Info=True;"

  • 3 号计算机,客户端。它具有以下配置

    <configuration>
<system.serviceModel>
  <bindings>
    <netTcpBinding>
        <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
            hostNameComparisonMode="StrongWildcard" listenBacklog="10"
            maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
            maxReceivedMessageSize="40000000">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
     </netTcpBinding>
</bindings>
<client>
    <endpoint  name="Megatec.MasterTourService.Contracts.IAdminServiceWindows"
        address="net.tcp://Computer2:5012/IISTest/AdminService.svc/Windows"
        behaviorConfiguration="CustomBehavior"
        binding="netTcpBinding"
        bindingConfiguration="CommonWindowsBinding"
        contract="Megatec.MasterTourService.Contracts.IAdminService">
       <identity>
            <dns value="WCFServer" />
       </identity>
    </endpoint>        
</client>
<behaviors>         
  <behavior name="CustomBehavior">
    <dataContractSerializer maxItemsInObjectGraph="10000000"/>
    <clientCredentials>
      <clientCertificate findValue="WCFClient" x509FindType="FindBySubjectName"
          storeLocation="LocalMachine" storeName="My" />
           <serviceCertificate>
               <defaultCertificate findValue="WCFServer" storeLocation="LocalMachine"
                                   x509FindType="FindBySubjectName" />
               <authentication certificateValidationMode="PeerTrust" 
                               revocationMode="NoCheck"
                               trustedStoreLocation="LocalMachine"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

频道具有以下凭据

channelFactory.Credentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Delegation;
channelFactory.Credentials.Windows.ClientCredential =
    System.Net.CredentialCache.DefaultNetworkCredentials;

它与数据库错误有关

用户“NT AUTHORITY\Anonymous”登录失败

因此,WCF 委托存在一些问题。当我尝试使用简单的username/password身份验证时,它工作得很好——所以,证书等等都很好。

我在此指令上执行了第 4 步,但它不起作用。

也许我的代码或配置有问题?我该如何解决?

更新

  1. 试过(没有结果)

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] => [OperationBehavior(Impersonation = ImpersonationOption.Required)]

  2. 试过(没有结果)

  3. 在服务方面

    ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel = 模拟(不是委托!)

  4. 当我尝试将 IIS 池的标识从 ApplicationPoolIdentity 更改为 IISLogin@myDomain.ru 时,计算机 3 上的客户端崩溃了。

4

2 回答 2

1

在您的 computer3 配置中尝试以下操作(代替您当前的<behaviors>...</behaviors>块):

<behaviors>
  <endpointBehaviors>
    <behavior name="CustomBehavior">
      <clientCredentials>
        <!--<windows allowNtlm="false" allowedImpersonationLevel="Delegation" />-->
        <windows allowNtlm="true" allowedImpersonationLevel="Delegation" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

编辑您可能还需要在 Computer2 上设置 Active Directory 记录,以允许在“所有类型”(不仅仅是 Kerberos)上将凭据委派给 Computer1

于 2012-10-29T12:09:07.500 回答
0

不幸的是,Transport/TransportWithMessageCredential 安全模式不支持使用客户端凭据和委派进行此类工作。我已经改变CommonWindowsBinding了以下方式

服务器

    <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
      <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>

客户

    <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
        hostNameComparisonMode="StrongWildcard" listenBacklog="10"
        maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
        maxReceivedMessageSize="40000000">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
       <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>
于 2012-10-30T13:20:05.490 回答