c# - IIS 托管 WCF 服务和使用 Windows 身份验证的 SQL 查询

Question

我是 WCF 的新手，但我有一个托管在 IIS 中的 WCF 服务，它对我们的 SQL Server 有多个查询。我正在使用 WPF 应用程序使用 WCF 服务。我想要做的是允许 Windows 身份验证从 WPF 客户端传递到 WCF 服务，再到 SQL Server，以便以客户端用户身份执行 SQL 查询。到目前为止，我一直在尝试以各种方式配置网站和主机，但没有成功。

在我的 WCF 服务网站上，我有 Anonymous Authentication=true(对于 MEX)、ASP.NET Impersonation=true 和 Windows Authentication=true。

在我的 WCF 服务 Web.config 中:

<configuration>
  <system.web>
    <customErrors mode="Off"/>
    <authentication mode="Windows"/>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </assemblies>
    </compilation>
  </system.web>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding maxReceivedMessageSize="5000000" name="WindowsSecurity">
          <readerQuotas maxDepth="200"/>
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="ADATrackingService" behaviorConfiguration="ServiceBehavior">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="WindowsSecurity"
          name="wsHttpEndpoint" contract="IADATrackingService" />
        <endpoint address="mex" binding="mexHttpsBinding" name="MexHttpsBindingEndpoint"
          contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization impersonateCallerForAllOperations="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
  </system.webServer>
  <connectionStrings>
    <add name="ADATrackingEntities" connectionString="metadata=res://*/EntityModel.ADATrackingModel.csdl|res://*/EntityModel.ADATrackingModel.ssdl|res://*/EntityModel.ADATrackingModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=MYSERVER;initial catalog=ADATracking;integrated security=True;multipleactiveresultsets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>
</configuration>

然后在我的 WPF 客户端 App.Config 中我有:

<configuration>
    <system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior name="WindowsAuthentication">
            <clientCredentials>
              <windows allowedImpersonationLevel="Delegation"/>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
                    receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
                    transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="5000000"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="200" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Transport">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://MyService.svc"
                binding="wsHttpBinding" behaviorConfiguration="WindowsAuthentication" bindingConfiguration="wsHttpEndpoint"
                contract="ADATrackingService.IADATrackingService" name="wsHttpEndpoint">
                <identity>
                    <servicePrincipalName value="host/MyServer.com" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

我的服务调用只是使用允许模拟的元数据从 SQL 返回简单查询。每次我运行客户端并从我的服务中调用某些东西时，即使在 IIS 中设置了 AnonymousAuthentication=false，我也会在打开“NT Authority/ANONYMOUS LOGIN”的数据连接时出错？？？任何帮助将不胜感激。谢谢!

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public List<IndividualDisability> GetIndividualDisabilities()
{
    WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
    if (callerWindowsIdentity == null)
    {
        throw new InvalidOperationException
         ("The caller cannot be mapped to a Windows identity.");
    }
    using (callerWindowsIdentity.Impersonate())
    {
        using (var context = new ADATrackingEntities())
        {
            return context.IndividualDisabilities.OfType<IndividualDisability>().Include("ADACode").Include("Individual").Include("Disability").ToList();
        }
    }
}

Answer 1

好吧，今天又浏览了一些。我终于让它工作了!问题是在事件目录中，我需要允许委派到 SQL Server 框。在 AD 中有一个设置，您必须在 Web 服务器框上进行设置，以允许它在端口 1433 上委托(delegate)给您的 SQl Server 框上的 SQl 服务。我还必须确保我在 Web 服务器上设置了 kerebos 身份验证。这篇博文准确地解释了我的情况，并帮助我从头到尾让它正常工作:

ASP.Net Impersonation