.net WCF授权,服务无法';无法访问SQL Server
我拥有以下基础设施:.net WCF授权,服务无法';无法访问SQL Server,.net,sql-server,wcf,active-directory,identity-delegation,.net,Sql Server,Wcf,Active Directory,Identity Delegation,我拥有以下基础设施: 计算机#1,Microsoft SQL Server 2008,在系统帐户下启动。有登录名Master\MyLogin(使用Windows身份验证),服务器角色=sysadm,数据库角色=db\u所有者 计算机2,IIS 7.0上的WCF服务。应用程序和站点在帐户Master\IISLogin(IISLogin@myDomain.ru) 配置: <configuration> <system.web> <compilation
- 计算机#1,Microsoft SQL Server 2008,在系统帐户下启动。有登录名
(使用Windows身份验证),服务器角色=Master\MyLogin
,数据库角色=sysadm
db\u所有者
- 计算机2,IIS 7.0上的WCF服务。应用程序和站点在帐户
(IISLogin@myDomain.ru)Master\IISLogin
<configuration>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="CommonBehavior" name="MyNameSpace.AdminService">
<endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="IAdminServiceWindows" contract="MyNameSpace.IAdminService">
<identity>
<dns value="WCFServer" />
<userPrincipalName value="IISLogin@myDomain.ru"/>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CommonBehavior">
<dataContractSerializer maxItemsInObjectGraph="10000000" />
<serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyClassFullName, MyDllFullName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
它首先使用EF5.0数据库。连接字符串
"Data Source=Computer1; Initial Catalog=myDB; Integrated Security=True; Multipleactiveresultsets=True; Persist Security Info=True;"
- 计算机3,客户端。它具有以下配置
它与db错误一起下降 用户“NT AUTHORITY\Anonymous”登录失败 因此,WCF授权存在一些问题。当我尝试使用简单的<configuration> <system.serviceModel> <bindings> <netTcpBinding> <binding name="CommonWindowsBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="40000000"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="Windows" /> </security> </binding> </netTcpBinding> </bindings> <client> <endpoint name="Megatec.MasterTourService.Contracts.IAdminServiceWindows" address="net.tcp://Computer2:5012/IISTest/AdminService.svc/Windows" behaviorConfiguration="CustomBehavior" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" contract="Megatec.MasterTourService.Contracts.IAdminService"> <identity> <dns value="WCFServer" /> </identity> </endpoint> </client> <behaviors> <behavior name="CustomBehavior"> <dataContractSerializer maxItemsInObjectGraph="10000000"/> <clientCredentials> <clientCertificate findValue="WCFClient" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" /> <serviceCertificate> <defaultCertificate findValue="WCFServer" storeLocation="LocalMachine" x509FindType="FindBySubjectName" /> <authentication certificateValidationMode="PeerTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine"/> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> </system.serviceModel> </configuration>
authentication时,它工作得很好——因此,证书等都很好 我做了第四步,但不起作用 也许我的代码或配置有问题?我怎样才能修好它 更新username/password
- 已尝试(无结果) [OperationBehavior(模拟=模拟选项.允许)]=>[OperationBehavior(模拟=模拟选项.必需)]
- 已尝试(无结果)
- 在服务方面 ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel=模拟(非委派!)
- 当我尝试将IIS池的标识从ApplicationPoolIdentity更改为IISLogin@myDomain.ru,计算机3上的客户端崩溃
在计算机3配置中,尝试以下操作(代替当前的
…
块):
编辑您可能还需要在Computer2上设置Active Directory记录,以允许在computer3配置中的“所有类型”(不仅仅是Kerberos)上向Computer1委派凭据尝试以下操作(代替当前的
…
块):
编辑您可能还需要在Computer2上设置Active Directory记录,以允许在“所有类型”(不仅仅是Kerberos)上向Computer1委派凭据。不幸的是,Transport/TransportWithMessageCredential安全模式不支持使用客户端凭据和委派进行此类工作。我以以下方式更改了
CommonWindowsBinding
服务器
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
客户
<binding name="CommonWindowsBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="40000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
不幸的是,Transport/TransportWithMessageCredential安全模式不支持使用客户端凭据和委派进行此类工作。我以以下方式更改了
CommonWindowsBinding
服务器
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
客户
<binding name="CommonWindowsBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="40000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
NTLM不支持委派,我知道。只有Kerberos可以。@SirHally正如我的编辑:备注中提到的,您需要设置AD以允许对“所有类型”进行委派,然后您可以使用NTML进行委派,我使用这种确切的方法允许我的web服务使用NTLMNTLM委派到Exchange,正如我所知,NTLM不支持委派。只有Kerberos可以。@SirHally正如我的编辑:备注中提到的,您需要设置AD以允许对“所有类型”进行委派,然后您可以使用NTML进行委派,我使用这种方法允许我的web服务使用NTLM委派给Exchange
<binding name="CommonWindowsBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="40000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>