WCF服务未假冒客户端
问题描述:
物流: 1台运行WCF服务的服务器。 1台运行WCF服务数据库的服务器。WCF服务未假冒客户端
问题: 我有一个WCF服务运行在1台服务器上,它连接到一台单独的服务器以获取它需要检索的必要数据。我的问题是,当从客户端机器调用服务时,我得到一个数据库sql错误,指出'用户登录失败'NT AUTHORITY \ ANONYMOUS LOGON'。我相信我已经设置了WCF服务来使用模拟。
WCF服务器配置:
<bindings>
<ws2007HttpBinding>
<binding maxReceivedMessageSize="214748">
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="Windows" realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service behaviorConfiguration="Host.ServiceBehavior" name="Wcf.MyWebService">
<endpoint address="" behaviorConfiguration=""
binding="ws2007HttpBinding" contract="Wcf.MyWebServiceSoap">
<identity>
<servicePrincipalName value="ServerMachineName" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Host.ServiceBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
WCF服务代码:
public class MySebService: MyWebServiceSoap
{
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string TestWebMethod()
{
DbDal dal = CreateDataAccessLayer();
return dal.GetStringFromDatabase();
}
}
客户端配置和代码:
我编程设置如下配置:
public void TestWebMethod()
{
WS2007HttpBinding binding = new WS2007HttpBinding();
EndpointAddress endpoint = new EndpointAddress("uri");
ServiceClient client = new ServiceClient(binding, endpoint);
client.ClientCredentials.Windows.AllowedImpersonationLevel =
TokenImpersonationLevel.Impersonation;
client.ClientCredentials.Windows.AllowNtlm = true;
string result = client.TestWebMethod();
client.Close();
}
答
TokenImpersonationLevel.Impersonation允许服务访问服务本地资源,但不允许服务访问外部资源(例如,另一个服务)。
您必须将允许的模拟级别设置为 TokenImpersonationLevel.Delegation。
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
我以为我曾尝试将其更改为委派,并没有奏效。但我会再次投入一次。服务和客户端的配置项目是否正确? – arc1880 2010-12-07 05:35:02