问题
I have an asp.net web application that makes calls to several WCF services. The web app is located at www.mydomain.com and the services are at services.mydomain.com. They are hosted from the same server.
I've just added secure endpoints (bassicHttpBindings) to the services that use Transport security (https) and Windows authenication:
<binding name="WindowsSecuredBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
and configured the client web app to use these new secure endpoints. I was expecting the next step to be writing some code in the web app to set the client credentials in order to pass the Windows authentication. To my surprise, the service calls are succeeding without setting the client credentials. I'm assuming it must be sending the account that the web app is running under but don't know how to verify that. In other scenarios I thought I've seen the client credentials having no implicit default.
So I have two questions:
- How is authentication succeeding? Does it send the user the app runs under, the browser user's credentials, no credentials?
- How can I debug/log/trace the authentication process? I'd like to at least see the username that's being authenticated so I can validate the security.
回答1:
- With your current configuration as you have it on the server and client side the client is sending the creditials that it is running under. Because the credential type is set to Windows that causes the security negotiation to check in Kerberos if you are in a domain or in NTLM if it's a workgroup environment. (More information can be found here.)
- To debug the authentication process WCF has an auditing feature that can be enabled. Instructions for adding auditing are here.
Here's the important parts from the auditing MSDN page:
<behaviors>
<behavior name="myAuditBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="None"
messageAuthenticationAuditLevel="SuccessOrFailure" />
</behavior>
</behaviors>
and adding the behavior to the service:
<service type="[Your service type here]" behaviorConfiguration="myAuditBehavior">
Once auditing is enabled you can see all the authorization activity (success and failure if you configure it that way). This should allow you to validate that your security is setup they way you would like it.
If you happen to need functionality of passing the credentials of the user that is using the ASP.NET web app (this is called Impersonation) the msdn documentation on that is found on this page "Delagation and Impersonation with WCF".
来源:https://stackoverflow.com/questions/12712704/how-does-wcf-windows-authentication-work-without-explicitly-setting-credentials