WCF 委派,服务无法访问 SQL Server

【问题标题】:WCF Delegation, Service couldn't access SQL ServerWCF 委派,服务无法访问 SQL Server
【发布时间】:2012-10-28 11:29:41
【问题描述】:

我有以下基础设施:

  • 计算机 #1,Microsoft SQL Server 2008,在系统帐户下启动。有登录Master\MyLogin(带有Windows Authintification),服务器角色=sysadm,数据库角色=db_owner

  • 计算机 #2,IIS 7.0 上的 WCF 服务。应用程序和站点在帐户 Master\IISLogin (IISLogin@myDomain.ru) 下运行

配置:

<configuration>
  <system.web>
    <compilation debug="true" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <services>
      <service behaviorConfiguration="CommonBehavior" name="MyNameSpace.AdminService">
        <endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="IAdminServiceWindows" contract="MyNameSpace.IAdminService">
          <identity>
            <dns value="WCFServer" />
            <userPrincipalName value="IISLogin@myDomain.ru"/>
          </identity>
        </endpoint>
      </service>
    </services>
    <behaviors>
  <serviceBehaviors>
    <behavior name="CommonBehavior">
      <dataContractSerializer maxItemsInObjectGraph="10000000" />
      <serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>
        <serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyClassFullName, MyDllFullName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

服务有方法

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public bool HasRole(string roleName)
{
     //work with database
}

它首先使用 EF 5.0 数据库。连接字符串

"Data Source=Computer1; Initial Catalog=myDB; Integrated Security=True; Multipleactiveresultsets=True; Persist Security Info=True;"

  • 3 号计算机,客户端。它具有以下配置

    <configuration>
<system.serviceModel>
  <bindings>
    <netTcpBinding>
        <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
            hostNameComparisonMode="StrongWildcard" listenBacklog="10"
            maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
            maxReceivedMessageSize="40000000">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
     </netTcpBinding>
</bindings>
<client>
    <endpoint  name="Megatec.MasterTourService.Contracts.IAdminServiceWindows"
        address="net.tcp://Computer2:5012/IISTest/AdminService.svc/Windows"
        behaviorConfiguration="CustomBehavior"
        binding="netTcpBinding"
        bindingConfiguration="CommonWindowsBinding"
        contract="Megatec.MasterTourService.Contracts.IAdminService">
       <identity>
            <dns value="WCFServer" />
       </identity>
    </endpoint>        
</client>
<behaviors>         
  <behavior name="CustomBehavior">
    <dataContractSerializer maxItemsInObjectGraph="10000000"/>
    <clientCredentials>
      <clientCertificate findValue="WCFClient" x509FindType="FindBySubjectName"
          storeLocation="LocalMachine" storeName="My" />
           <serviceCertificate>
               <defaultCertificate findValue="WCFServer" storeLocation="LocalMachine"
                                   x509FindType="FindBySubjectName" />
               <authentication certificateValidationMode="PeerTrust" 
                               revocationMode="NoCheck"
                               trustedStoreLocation="LocalMachine"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

频道具有以下凭据

channelFactory.Credentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Delegation;
channelFactory.Credentials.Windows.ClientCredential =
    System.Net.CredentialCache.DefaultNetworkCredentials;

数据库错误

用户“NT AUTHORITY\Anonymous”登录失败

因此,WCF 委派存在一些问题。当我尝试使用简单的username/password 身份验证时,它运行良好 - 因此,证书等都很好。

我在this instruction 上执行了第 4 步,但它不起作用。

也许我的代码或配置有问题?我该如何解决?

更新

  1. 尝试过(没有结果)

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] => [OperationBehavior(Impersonation = ImpersonationOption.Required)]

  2. 尝试过(没有结果)

  3. 服务端

    ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel = 模拟(不是委托!)

  4. 当我尝试将 IIS 池的身份从 ApplicationPoolIdentity 更改为 IISLogin@myDomain.ru 时,计算机 3 上的客户端崩溃了。

【问题讨论】:

    标签: .net sql-server wcf active-directory identity-delegation


    【解决方案1】:

    在您的 computer3 配置中尝试以下操作(代替您当前的 &lt;behaviors&gt;...&lt;/behaviors&gt; 块):

    <behaviors>
  <endpointBehaviors>
    <behavior name="CustomBehavior">
      <clientCredentials>
        <!--<windows allowNtlm="false" allowedImpersonationLevel="Delegation" />-->
        <windows allowNtlm="true" allowedImpersonationLevel="Delegation" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

    编辑您可能还需要在 Computer2 上设置 Active Directory 记录,以允许在“所有类型”(不仅仅是 Kerberos)上将凭据委派给 Computer1

    【讨论】:

    • 据我所知,NTLM 不支持委派。只有 Kerberos 可以。
    • @SirHally 在我的编辑中提到:备注,您需要设置 AD 以允许对“所有类型”进行委派,然后您可以使用 NTML 进行委派,我使用这种确切的方式来允许我的网络服务使用 NTLM 委托给 Exchange
    【解决方案2】:

    很遗憾,Transport/TransportWithMessageCredential 安全模式不支持使用客户端凭据和委派进行此类工作。我通过以下方式更改了CommonWindowsBinding

    服务器

        <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
      <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>

    客户

        <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
        hostNameComparisonMode="StrongWildcard" listenBacklog="10"
        maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
        maxReceivedMessageSize="40000000">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
       <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>

    【讨论】:

      猜你喜欢
      • 2012-06-24
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode