I need some help about WCF and authorization. Currently I have a client which calls as .NET remoting object hosted in a windows service and which is calling a WCF service (with wshttpbinding). The WCF service is using windows authentication with message based security.
我需要一些关于WCF和授权的帮助。目前我有一个客户端,它在Windows服务中托管作为.NET远程处理对象,并且正在调用WCF服务(使用wshttpbinding)。 WCF服务使用基于消息的安全性的Windows身份验证。
The windows service is running with a special account. Once a client call arrives the .NET remoting object the thread.currentprincipal gets set to the principal provided by the client, so that all actions are executed with the credentials from the client. No problem so far, now here comes my current problem: The wcf service should be called with the client user credentials. Afaik WCF uses the WindowsIdentity.GetCurrent to create the authorization information for the call. As Thread.CurrentPrincipal holds the identity I want to use for the call, I thought (hread.CurrentPrincipal.Identity as WindowsIdentity).Impersonate() does the job.
Windows服务使用特殊帐户运行。一旦客户端调用到达.NET远程处理对象,thread.currentprincipal就会被设置为客户端提供的主体,因此所有操作都是使用客户端的凭据执行的。到目前为止没问题,现在出现了我当前的问题:应该使用客户端用户凭据调用wcf服务。 Afaik WCF使用WindowsIdentity.GetCurrent创建呼叫的授权信息。由于Thread.CurrentPrincipal拥有我想用于调用的身份,我认为(hread.CurrentPrincipal.Identity为WindowsIdentity).Impersonate()完成了这项工作。
But now I'm getting instead of a WCF security exception this exception: System.ComponentModel.Win32Exception: No credentials are available in the security package
但是现在我得到的不是WCF安全异常这个异常:System.ComponentModel.Win32Exception:安全包中没有可用的凭据
Callstack: at System.IdentityModel.SspiWrapper.AcquireCredentialsHandle(String package, CredentialUse intent, AuthIdentityEx& authdata) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(String package, NetworkCredential credential, Boolean isServer, String[] additionalPackages) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe, ClientCredentials clientCredentials) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe, BindingContext context) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.OnOpening() at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpening() at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Callstack:在System.ServiceModel处的System.IdentityModel.SspiWrapper.AcquireCredentialsHandle(String包,CredentialUse intent,AuthIdentityEx和authdata)处于System.ServiceModel的System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(String package,NetworkCredential credential,Boolean isServer,String [] additionalPackages)。 Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe,ClientCredentials clientCredentials)位于System.ServiceModel.Security上的System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe,BindingContext context),位于System.ServiceModel.Security.VrapperSecurityCommunicationObject的System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.OnOpening()。 System.ServiceModel.Sepen上的System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan超时)中的OnOpening()System.ServiceModel.Security.Apens.ApenTokenProviderIfRequired处于System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan超时)(SecurityTokenProvider tokenProvider,TimeSpan ti) meout)at System.ServiceModel.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)at System System.ServiceModel.Channels.ServiceChannel上的System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel频道,TimeSpan超时)中的.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)。在System.ServiceModel.Channels.ServiceChannel.Call的System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan超时)中的CallOnceManager.CallOnce(TimeSpan超时,CallOnceManager级联)(String action,Boolean oneway,ProxyOperationRuntime operation,Object [] ins,Object System.ServiceModel.Channels.ServiceChannel.Call上的[] outs,TimeSpan超时)(String操作,Boolean oneway,ProxyOperationRuntime操作,Object [] ins,Object []出)在System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall,ProxyOperationRuntime操作)的System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
thx for any help Martin
对于任何帮助马丁
EDIT: I made a mistake which leads into this exception, because I forgot to create the channelfactory after the impersonation, but now I get another exception, where I not really sure how to deal with it: System.IO.FileLoadException: Could not load file or assembly 'System.IdentityModel.Selectors, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)
编辑:我犯了一个错误,导致这个异常,因为我忘了在模仿后创建channelfactory,但现在我得到另一个异常,我不确定如何处理它:System.IO.FileLoadException:无法加载文件或程序集'System.IdentityModel.Selectors,Version = 3.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089'或其依赖项之一。未提供所需的模拟级别,或者提供的模拟级别无效。 (HRESULT异常:0x80070542)
1 个解决方案
#1
The user that your windows service is running as, must be allowed to impersonate a user.
必须允许Windows服务正在运行的用户模拟用户。
There is a right called "Impersonate a client after authentication"
有一个名为“认证后模拟客户端”的权利
http://blogs.technet.com/askperf/archive/2007/10/16/wmi-troubleshooting-impersonation-rights.aspx
#1
The user that your windows service is running as, must be allowed to impersonate a user.
必须允许Windows服务正在运行的用户模拟用户。
There is a right called "Impersonate a client after authentication"
有一个名为“认证后模拟客户端”的权利
http://blogs.technet.com/askperf/archive/2007/10/16/wmi-troubleshooting-impersonation-rights.aspx