问题
I'm currently developing a website which uses multiple WCF-WebServices.
Delegation and Impersonation haven't been a problem yet.
Now I have the following scenario:
WebSite --> WebService1 --> Validation-WebService
My Website calls the WebService1 (which is the core of the system) and WebService1 calls my Validation-WebService. WebService1 and the Validation-WebService are currently running on the same machine in differnent virtual directories. It is possible that the services are running on different machines in production mode, that's why I want to use delegation instead of impersonation. Both are running under the following context: "NT AUTHORITY\NETWORK SERVICE".
In both WebServices I want to identify the actual user of the WebSite, which - in my case - currently works via ServiceSecurityContext.Current.WindowsIdentity.Name.
I am able to get the WindowsIndentity of the user in the first WebService, but not in the Validation-WebService.
If I require impersonation on the intermediate WebService via [OperationBehavior(Impersonation = ImpersonationOption.Required)] I'm getting an exception:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://myWebServer.myCompany.com/ValidationService_dev/ValidationService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote name could not be resolved: 'myWebServer.myCompany.com'
If I'm not impersonating in WebService1, the connection works but the identification in the Validation-WebService fails.
WebService1 has the following configuration (just important parts):
<services>
<service name="WebService1.WebService1">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IWebService1" contract="WebService1.IWebService1">
<identity>
<servicePrincipalName value="host/myWebServer.myCompany.com"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" />
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="CredentialDelegationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Delegation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true"/>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IValidationService">
<security mode="Transport" />
</binding>
<binding name="WSHttpBinding_IWebService1" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://myWebServer.myCompany.com/ValidationService_dev/ValidationService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IValidationService" behaviorConfiguration="CredentialDelegationBehavior"
contract="ValidationService.IValidationService" name="WSHttpBinding_IValidationService">
<identity>
<servicePrincipalName value="host/myWebServer.myCompany.com" />
</identity>
</endpoint>
</client>
Delegation is configured and looks similar to the config of the WebSite (which works).
Configuration of Validation-WebService (just important parts):
<services>
<service name="ValidationService.ValidationService" >
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IValidationService" contract="ValidationService.IValidationService">
<identity>
<servicePrincipalName value="host/myWebServer.myCompany.com"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true" />
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IValidationService" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
I've already found one forum post which describes the exact same problem, but this didn't work for me :( Here: Forum Post found
Has anybody a suggestion on how this could work? I'm working on this since two days and wasn't able to find a solution.
If you need any other information, feel free to ask.
来源:https://stackoverflow.com/questions/19315433/wcf-service-client-principal-delegation-between-webservices