3

鉴于我有一个使用 Windows 身份验证的 WCF 服务,并且我想模拟它们并调用另一个 WCF 服务,如下所示:

using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
    // call another WCF service
}

我已经设置了所有配置设置并且它工作正常,只要在客户端,它们包括以下行:

client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;

但是,在尝试调用用户令牌是否具有委托权限之前,我该如何验证?即我无法控制的客户端设置了 AllowedPersonationLevel?

如果他们没有设置它,就会抛出各种奇怪的异常(比如无法加载程序集 X 等)。

理想情况下,我希望能够执行以下操作:

using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
    if (UserDoesntHaveDelegationRights())
        throw new SecurityException("No delegation rights");

    // call another WCF service
}

请注意,WindowsIdentity.GetCurrent().ImpersonationLevel 它始终等于TokenImpersonationLevel.Impersonation,因此不幸的是,这不是一个选项。

4

2 回答 2

6

这里的定义可能有些混乱。就模拟级别而言, Windows 身份可以是:

  • Impersonated - 服务可以在本地模拟用户
  • 委托 - 服务可以远程模拟用户

委托的能力是如此强大,以至于它在 Active Directory 中受到高度限制:

  1. 客户必须允许委托
  2. 执行委派的服务帐户必须在 Active Directory中标记为“受信任的委派”。

以下是如何为委托启用帐户。它需要 Active Directory 域管理员进行更改。我曾经工作过的每个公司环境都有一个不允许委派的政策。

回到你的问题:

So while TokenImpersonationLevel.Delegation exists, its considered a security risk and rarely (if ever) used. TokenImpersonationLevel.Impersonation is the highest level that you will probably ever get.

TokenImpersonationLevel.Impersonation is useful. You can still connect to a database or make a remote service call as the impersonated user. But a remote service (not on the same box) can't impersonate the user a second time. The basic rule of thumb is "impersonation enables two machines hops". If the user's credentials have to "hop" farther, it will fail.

If you need to pass a user's credentials between many servers the best choice is a federated security model such as Windows Identity Foundation (WIF). See Identity Management in Active Directory.

于 2013-03-15T15:52:09.897 回答
0

关于什么

if (WindowsIdentity.GetCurrent().ImpersonationLevel != TokenImpersonationLevel.Delegation) ...
于 2013-03-13T15:49:46.257 回答