I'm trying to setup WCF Delegation, without success (the scenario is Client > Frontend Server > Backend Server).
我正在尝试设置WCF委托,但没有成功(场景是客户机>前端服务器>后端服务器)。
In theory, this should be straight forward using Kerberos (I do have a Windows Domain), but in practice I'm running into weird errors with things like SSPI or even basic message security.
理论上,这应该是直接使用Kerberos(我确实有一个Windows域),但是在实践中,我遇到了一些奇怪的错误,比如SSPI,甚至是基本的消息安全性。
I found countless shallow resources, and forum posts where people had problems and were essentially just guessing solutions through trial and error. I looked at the Table of Contents at some so-called "Pro" and "Expert" WCF Books, but Delegation seems to be something no one wants to cover (in fact, there is a typo in one of the Exceptions that .net throws that makes me feel not even Microsoft really bothers with it).
我发现了无数浅显的资源和论坛帖子,在这些帖子中,人们遇到了问题,基本上只是通过尝试和错误猜测解决方案。我看着表内容的一些所谓的“专业”和“专家”WCF书籍,但代表团似乎是没有人愿意盖(事实上,有一个错误在其中的一个。net的异常抛出,让我感觉没有微软真的困扰了)。
Anyway, is there any resource where someone that actually has a clue and the confidence to explain the whole process A-Z, using a methodological approach with actual explanations and not just meaningless code blocks that don't work and are never explained?
不管怎样,有没有什么资源可以让一个人有线索并且有信心解释整个过程,用一种方法方法来解释实际的解释,而不仅仅是毫无意义的代码块不能工作,也永远不会被解释?
2 个解决方案
#1
1
This is more a Kerberos problem than a WCF problem.
这与其说是一个WCF问题,不如说是一个Kerberos问题。
The basic idea is that the client makes a request under a security context to the frontend server, then this security context is sent on to the backend server.
其基本思想是,客户机在安全上下文中向前端服务器发出请求,然后将此安全上下文发送到后端服务器。
This cannot just be fixed in code. The computer that forwards the kerberos token must be trusted to do that. The account that the code is running under must also be trusted to forward the security token.
这不能只在代码中修复。必须信任转发kerberos令牌的计算机这样做。还必须信任正在运行的代码的帐户以转发安全令牌。
For general Kerberos: http://support.microsoft.com/kb/907272
对于一般的Kerberos:http://support.microsoft.com/kb/907272
This is Kerberos for SharePoint, but there is a lot in common: http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx
这是SharePoint的Kerberos,但是有很多共同之处:http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/ configuration- Kerberos -for SharePoint -2007-part-1-base- configur-forsharepoint .aspx
#2
1
The WCF code for this is actually fairly straight forward. Getting your service account configured and Kerberos behaving can be quite hard.
WCF的代码实际上非常直接。配置服务帐户和Kerberos行为可能非常困难。
The reason why you are having such a hard time finding examples, is because very few people actually do it. The process that does the delegating must be running under an account that is "trusted for delegation" in Active Directory (on the domain controller). This ability is so powerful that many IT departments have an explicit policy against it.
你很难找到例子的原因,是因为很少有人真的这么做。执行委托的进程必须在活动目录(域控制器上)的“委托信任”帐户下运行。这种能力是如此强大,以至于许多IT部门都有明确的政策反对它。
There is a concept of "constrained delegation" that defines which resources can be accessed, but again this is defined in Active Directory and not your code. Before you continue your coding I suggest making sure you have the ability to make the needed changes to Active Directory. Enabling an account for delegation is a battle I lost at more than one company.
有一个“受限委托”的概念,它定义了可以访问哪些资源,但同样,这是在Active Directory中定义的,而不是您的代码。在继续编写代码之前,我建议确保您有能力对Active Directory进行必要的更改。我在不止一家公司都失败了。
For references I suggest:
我建议供参考:
- WCF Security Guide on Codeplex
- 关于Codeplex上的WCF安全指南
- How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
- 如何:在ASP中使用协议转换和受限委托。NET 2.0
Yes both of these references are a little old, but they both apply. All of the constrained delegation steps listed in the "How To" are for Active Directory and not tied to ASP.
是的,这两个参考资料都有点旧了,但它们都适用。在“How To”中列出的所有受约束的委托步骤都是针对Active Directory的,而不是与ASP绑定的。
#1
1
This is more a Kerberos problem than a WCF problem.
这与其说是一个WCF问题,不如说是一个Kerberos问题。
The basic idea is that the client makes a request under a security context to the frontend server, then this security context is sent on to the backend server.
其基本思想是,客户机在安全上下文中向前端服务器发出请求,然后将此安全上下文发送到后端服务器。
This cannot just be fixed in code. The computer that forwards the kerberos token must be trusted to do that. The account that the code is running under must also be trusted to forward the security token.
这不能只在代码中修复。必须信任转发kerberos令牌的计算机这样做。还必须信任正在运行的代码的帐户以转发安全令牌。
For general Kerberos: http://support.microsoft.com/kb/907272
对于一般的Kerberos:http://support.microsoft.com/kb/907272
This is Kerberos for SharePoint, but there is a lot in common: http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx
这是SharePoint的Kerberos,但是有很多共同之处:http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/ configuration- Kerberos -for SharePoint -2007-part-1-base- configur-forsharepoint .aspx
#2
1
The WCF code for this is actually fairly straight forward. Getting your service account configured and Kerberos behaving can be quite hard.
WCF的代码实际上非常直接。配置服务帐户和Kerberos行为可能非常困难。
The reason why you are having such a hard time finding examples, is because very few people actually do it. The process that does the delegating must be running under an account that is "trusted for delegation" in Active Directory (on the domain controller). This ability is so powerful that many IT departments have an explicit policy against it.
你很难找到例子的原因,是因为很少有人真的这么做。执行委托的进程必须在活动目录(域控制器上)的“委托信任”帐户下运行。这种能力是如此强大,以至于许多IT部门都有明确的政策反对它。
There is a concept of "constrained delegation" that defines which resources can be accessed, but again this is defined in Active Directory and not your code. Before you continue your coding I suggest making sure you have the ability to make the needed changes to Active Directory. Enabling an account for delegation is a battle I lost at more than one company.
有一个“受限委托”的概念,它定义了可以访问哪些资源,但同样,这是在Active Directory中定义的,而不是您的代码。在继续编写代码之前,我建议确保您有能力对Active Directory进行必要的更改。我在不止一家公司都失败了。
For references I suggest:
我建议供参考:
- WCF Security Guide on Codeplex
- 关于Codeplex上的WCF安全指南
- How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
- 如何:在ASP中使用协议转换和受限委托。NET 2.0
Yes both of these references are a little old, but they both apply. All of the constrained delegation steps listed in the "How To" are for Active Directory and not tied to ASP.
是的,这两个参考资料都有点旧了,但它们都适用。在“How To”中列出的所有受约束的委托步骤都是针对Active Directory的,而不是与ASP绑定的。