0

我似乎无法根据调用我的 WCF 服务的用户的凭据来授权服务合同操作。

服务网络配置

<system.serviceModel>
<services>
  <service name="WCFService.Service" behaviorConfiguration="DefaultServiceBehavior">
    <host>
      <baseAddresses>
        <add baseAddress="net.tcp://localhost:8080/WCFService"/>
      </baseAddresses>
    </host>                
    <!-- Net.Tcp EndPoints-->
    <endpoint address=""
              binding="netTcpBinding"
              contract="WCFService.IService"
              bindingConfiguration="NetTcp_Secured"/>
    <endpoint address="mex"
                binding="mexTcpBinding"
                contract="IMetadataExchange" />
  </service>
</services>
<bindings>
  <netTcpBinding>
      <binding name="NetTcp_Secured">
      <security mode="Transport">
        <message clientCredentialType="Windows" />
        <transport clientCredentialType="Windows"  protectionLevel="EncryptAndSign" />            
      </security>
    </binding>        
  </netTcpBinding>
</bindings>        
<behaviors>
  <serviceBehaviors>
    <behavior name="DefaultServiceBehavior">
      <serviceMetadata httpGetEnabled="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>
</system.serviceModel>

客户端 Web.Config

<system.serviceModel>
<behaviors>
  <endpointBehaviors>
    <behavior name="DefaultClientBehavior">
      <clientCredentials>
        <windows allowNtlm="true"
                 allowedImpersonationLevel="Delegation" />
        <httpDigest impersonationLevel="Impersonation"/>            
      </clientCredentials>
    </behavior>        
  </endpointBehaviors>      
</behaviors>    
<bindings>
  <netTcpBinding>
    <binding name="NetTcpBinding">                   
      <security mode="Transport">
        <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
        <message clientCredentialType="Windows"/>
      </security>         
    </binding>
  </netTcpBinding>
</bindings>    
<client>
  <endpoint 
    address="net.tcp://localhost:8080/WCFService/Service.svc"
    binding="netTcpBinding" 
    bindingConfiguration="NetTcpBinding"
    behaviorConfiguration="DefaultClientBehavior"        
    contract="TestWcfService.IService" 
    name="NetTcpBinding_IService">       
  </endpoint>
</client>           
</system.serviceModel>

服务代码...

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string GetCurrentPrinciple()
{
    return "Windows Identity: " + WindowsIdentity.GetCurrent().Name + " \\ " +
        "Thread Identity: " + System.Threading.Thread.CurrentPrincipal.Identity.Name;
}

我相信这就是这个属性导致安全异常的原因......

[PrincipalPermission(SecurityAction.Demand, Name = @"DOMAIN_NAME\User")]

该方法可以在服务中很好地调用,这让我认为安全设置没问题。但是,在服务中运行的上述代码始终返回 App Pool 身份的名称,而不是调用该服务的用户的身份。

在断点的服务的即时窗口中执行以下操作会给出以下...

? WindowsIdentity.GetCurrent()
{System.Security.Principal.WindowsIdentity}
    AuthenticationType: "Negotiate"
    Groups: {System.Security.Principal.IdentityReferenceCollection}
    ImpersonationLevel: Impersonation
    IsAnonymous: false
    IsAuthenticated: true
    IsGuest: false
    IsSystem: false
    Name: "IIS APPPOOL\\DefaultAppPool"
    Owner: {S-1-5-SAME-AS-BELOW-}
    Token: 2300
    User: {S-1-5-SAME-AS-ABOVE-}

所以我通过了身份验证 - 我只是没有来电者姓名!

服务和客户端都设置为 Windows 身份验证。如果我在客户端这样做......

protected void Page_Load(object sender, EventArgs e)
{
    lblCurrentUser.Text =
        "Current Website User: " + HttpContext.Current.User.Identity.Name;
}

...它返回正确的域和用户名,因此我知道客户端已通过浏览器正确确定了我的 Windows 凭据。

我只是不确定我在这里缺少什么,为什么服务不报告客户端凭据。

4

1 回答 1

0

您可能需要在客户端级别设置 AllowedImpersonationLevel。看看这些文章 - http://msdn.microsoft.com/en-us/library/ms731090.aspx http://blogs.msdn.com/b/asiatech/archive/2009/08/28/how-to -mpersonate-or-delegate-a-client-in-wcf.aspx

于 2013-08-01T12:38:19.530 回答