I have a question regarding the Impersonation on WCF. I'd like to connect to a DB on a WCF Windows service that is called by a client application. The connection to the DB should be done using the account under which the service runs. BUT I'd like to validate that the call to the WCF service is made from a trusted source (validate that the user of the client app is a autenticated user of the domain).开发者_C百科
What is the kind security you would advise me to use ?
I tried Impersonation, but I get this error when trying to connect to the DB from the windows service :
System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
The configuration string is like this :
server=myServer;Initial Catalog=myDatabase;Integrated Security=True
The WCF configuration of the service looks like this :
<system.serviceModel>
<services>
<service name="MyNamespace.MyService"
behaviorConfiguration="TransfertServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8095/MyNamespace.MyService"/>
</baseAddresses>
</host>
<endpoint address=""
binding="netTcpBinding"
bindingConfiguration="TransactionalBinding"
contract="myContract" />
<endpoint address="mex"
binding="mexTcpBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="TransactionalBinding"
transferMode="Streamed" transactionFlow="true" maxReceivedMessageSize="1000000000">
<readerQuotas maxDepth="10000" maxStringContentLength="1000000000"
maxArrayLength="1000000000" maxBytesPerRead="10000" maxNameTableCharCount="10000" />
<security mode="Transport" />
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="TransfertServiceBehavior">
<serviceMetadata httpGetEnabled="False"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
The configuration on the client app looks like this :
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_Client" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="true" transferMode="Streamed" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="1000000000"
maxBufferSize="1000000000" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="1000000000"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:8095/MyNamespace.MyService"
binding="netTcpBinding" bindingConfiguration="NetTcpBinding_Client"
contract="myContract" behaviorConfiguration="ImpersonationBehavior">
<identity>
<userPrincipalName value="myUsername@intra.myDomain.ca" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
If your WCF impersonates then you must enable Kerberos Constrained Delegation for the WCF account service, see also Delegation and Impersonation with WCF.
Detailed instructions at Configure the WCF Service Identity Trusted for Constrained Delegation:
- On the domain controller, start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
- In the left pane of the MMC snap-in, click the Computers node.
- In the right pane, double-click your WCF server computer to display the Properties dialog box.
- On the Delegation tab of the Properties window for the WCF server computer, Do not trust the computer for delegation is selected by default. To use constrained delegation, select Trust this computer for delegation to specified services only. You specify precisely which service or services can be accessed in the bottom pane.
- Beneath Trust this computer for delegation to specified services only, keep the default option Use Kerberos only selected.
- Click the Add button to display the Add Services dialog box.
- Click the Users or computers button.
In the Select Users or Computers dialog box, type the name of your database server computer if you are running SQL Server as System or Network Service.
Alternatively, if you are running SQL Server by using a custom domain account, enter that account name instead and then click OK. You will see all the SPNs configured for the selected user or computer account. To restrict access to SQL Server, select the MSSQLSvc service, and then click OK.
Remove this line from your service configuration:
<serviceAuthorization impersonateCallerForAllOperations="true" />
and this from your client configuration:
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Impersonation means that all operations will be done withing context of impersonated users = identity of the service is replaced with the identity of calling user. If your SQL server is installed locally on the machine where your Windows service is running your calls to database will be impersonated as well.
If you turn off impersonation you will have exactly what you want because execution in the service will use service account but service will authenticate each calling client. It is done by your netTcpBinding
configuration which uses transport security with Windows integrated authentication.
精彩评论