开发者

Will WCF trust credential from an untrusted domain?

开发者 https://www.devze.com 2023-03-29 02:23 出处:网络
We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.

We have a webserver in a DMZ hosting an IIS website. The website talks to a middleware machine in a private domain, which is hosting WCF services.

When the webserver tries to communicate with the middleware machine via a TCP binding, we get the following error message,

The server has rejected the client credentials. The logon attempt failed.

The website uses an AppPool account from the private domain (DMZ trusts private domain). Forms and Anonymous authenticat开发者_开发百科ion are enabled.

My question is, would the middleware server be able to authenticate valid credentials (hopefully the appPool credentials), even through they originated from an untrusted domain (dmz)??


@marc_s is right in his comment. It's not just a WCF thing though. it's security in general.

Just look at it from a conceptual point: "authenticate valid credentials" is not what is happening. The middleware service gets credentials. The question is then if those credentials are valid or not. In order to determine validity it needs to known it or ask something that it trust to validate it for him. Asking an untrusted party doesn't work since you can't determine if the answer you get is a valid answer or not. In your case there is no place to determine if passed credentials are valid or just a random token.

If you want to allow unvalidated credentials to pass you should really remove the authentication/authorisation all together.

0

精彩评论

暂无评论...
验证码 换一张
取 消