无法使用webhttpbinding获取用于WCF服务的JSON调用的用户凭据

时间:2022-08-23 15:25:32

Hope someone can help!

希望有人可以帮忙!

I am calling a WCF service using JSON but I am not able to get the user credentials out.
We are using Kerberos so IIS is setup as the following:

我使用JSON调用WCF服务,但我无法获取用户凭据。我们正在使用Kerberos,因此IIS设置如下:

Server-side tasks:

  1. IIS server is member of domain
  2. IIS服务器是域的成员

  3. Set IIS server computer account in AD Users & Computers MMC as "Trusted for Delegation"
  4. 在AD用户和计算机MMC中将IIS服务器计算机帐户设置为“受信任的委派”

  5. IIS Server must be rebooted for this policy to take effect.
  6. 必须重新启动IIS服务器才能使此策略生效。

  7. Integrated Windows Authentication only must be selected for site / virtual directory
  8. 只能为站点/虚拟目录选择集成Windows身份验证

  9. IIS must not have NTLM only set as authentication method (this is usually not a problem, NEGOTIATE is default, so unless you specifically ran a script to change this, don't worry about it).
  10. IIS不能只将NTLM设置为身份验证方法(这通常不是问题,NEGOTIATE是默认的,所以除非你专门运行脚本来改变它,否则不要担心它)。

  11. IIS server name either must match exactly account name in AD, or SetSPN tool should be used in cases where IIS site is set as alternative name (e.g. server is called server01.domain.com, and website is called www.application.com).
  12. IIS服务器名称必须与AD中的帐户名称完全匹配,或者在将IIS站点设置为备用名称的情况下应使用SetSPN工具(例如,服务器名为server01.domain.com,网站名为www.application.com)。

Client-side tasks

  1. Client must be using IE 5.x+. If client is running IE 6, ensure that "Enable Integrated Windows Authentication (requires restart)" is selected from Tools > Internet Options > Advanced.
  2. 客户端必须使用IE 5.x +。如果客户端正在运行IE 6,请确保从“工具”>“Internet选项”>“高级”中选择“启用集成Windows身份验证(需要重新启动)”。

  3. Web site MUST be recognized as Local Intranet (not Internet Zone) site to client. I have not seen any documentation explaining why, but I just have never been able to get it to work otherwise. If necessary, specifically add this to Local Intranet sites list.
  4. 网站必须被识别为客户端的本地Intranet(非Internet区域)站点。我没有看到任何文件解释原因,但我从来没有能够让它工作否则。如有必要,请将其添加到“本地Intranet站点”列表中。

  5. Client account must not be marked as "Sensitive, Do not Delegate" in AD Users and Computers MMC.
  6. 客户帐户不得在AD用户和计算机MMC中标记为“敏感,不委派”。

Everything works nicely when using wsHTTPBinding. However to get JSON working I have to use WebHttpBinding. I then need to get the user credentials out so I can use impersonation to talk to the backend services.

使用wsHTTPBinding时,一切都很好用。但是要使JSON正常工作,我必须使用WebHttpBinding。然后,我需要获取用户凭据,以便我可以使用模拟与后端服务进行通信。

My binding in the WFC config is as below: I used http://underground.infovark.com/2008/03/21/wcf-webhttp-binding-and-authentication/ to help:

我在WFC配置中的绑定如下:我使用http://underground.infovark.com/2008/03/21/wcf-webhttp-binding-and-authentication/来帮助:

<webHttpBinding>
    <binding name="AjaxBinding">
        <security mode="None">
             <transport clientCredentialType="Ntlm" />
         </security>
     </binding>
</webHttpBinding>

<endpoint name="DataJson" address="Datajson" binding="webHttpBinding" 
        bindingConfiguration="AjaxBinding" 
        behaviorConfiguration="jsonbehaviour" contract="MyContract"/>

<behavior name="jsonbehaviour">
     <!--<webHttp/>-->
     <enableWebScript/>
</behavior>

It is calling the WCF service successfully but I am unable to get anything from: HttpContext.Current.User.Identity or ServiceSecurityContext.Current.WindowsIdentity other than anonymous so I am unable to do:

它正在成功调用WCF服务但我无法从以下内容获取任何内容:HttpContext.Current.User.Identity或ServiceSecurityContext.Current.WindowsIdentity而不是匿名,所以我无法做到:

WindowsIdentity identity = (WindowsIdentity)HttpContext.Current.User.Identity();

using (identity.Impersonate())
{
    // ... code to call application B goes here ...
}

I have tried adding this into the web.config in case of multiple identities that I read about:

我尝试将其添加到web.config中,以防我读到多个身份:

              <deny users="?"/>

Any ideas anyone?

任何人的想法?

1 个解决方案

#1


  • Do you have this section in your config?

    你的配置中有这个部分吗?

    <system.web>
    <identity impersonate="true"/>
    
    • Under what account is your application pool running? (Network Service right?)
    • 您的应用程序池在什么帐户下运行? (网络服务吧?)

    • You dont perhaps have duplicate SPN's on the domain?
    • 你可能在域名上有重复的SPN?

These are the only things that I have on my "list" of things to check when doind integrated authentication, that you did not explicitly mention in your question. Hope it helps?

这些是我在我的“列表”中唯一可以检查的事项,当你进行集成身份验证时,你没有在你的问题中明确提到。希望能帮助到你?

#1


  • Do you have this section in your config?

    你的配置中有这个部分吗?

    <system.web>
    <identity impersonate="true"/>
    
    • Under what account is your application pool running? (Network Service right?)
    • 您的应用程序池在什么帐户下运行? (网络服务吧?)

    • You dont perhaps have duplicate SPN's on the domain?
    • 你可能在域名上有重复的SPN?

These are the only things that I have on my "list" of things to check when doind integrated authentication, that you did not explicitly mention in your question. Hope it helps?

这些是我在我的“列表”中唯一可以检查的事项,当你进行集成身份验证时,你没有在你的问题中明确提到。希望能帮助到你?