gpt4 book ai didi

wcf - 如何通过负载均衡器将 wsHttpBinding 与消息安全性结合使用

转载 作者:行者123 更新时间:2023-12-04 19:20:33 27 4
gpt4 key购买 nike

我有一个使用消息安全的负载平衡服务:

<wsHttpBinding>
<binding>
<security mode="Message">
<message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>

我对该服务的所有调用都会打开和关闭它们自己的 channel ,因此建立安全上下文没有任何好处。

我正在使用 WSHttpBinding 调用该服务匹配服务配置:
ws.Security.Mode = SecurityMode.Message;
ws.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
ws.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
ws.Security.Message.EstablishSecurityContext = false;

这有时有效,但有时我会收到错误,例如

The security context token is expired or is not valid. The message was not processed.



或者

The request for security token has invalid or malformed elements.



我终于找到了 setting EstablishSecurityContext to false doesn't actually prevent security context tokens from being used .我们的负载均衡器目前不使用粘性 session ,我试图避免走这条路。

我确实发现我应该可以 set NegotiateServiceCredential to false on the client to allow for the load balancer without sticky sessions .我的服务已经在一个 AD 帐户下运行,我可以在 WSDL 中看到它:
<Upn>User@Domain</Upn>

但是,当我尝试将服务标识添加到我的客户端时
EndpointIDentity.CreateUpnIdentity("User@Domain")

我收到以下错误:

Authenticating to a service running under a user account which requires Kerberos multilegs, is not supported.



我如何才能通过负载均衡器调用我的服务?

最佳答案

根据 NegotiateServiceCredential 的文档,您必须使用 SPN 身份而不是 UPN 运行服务:

If this property is set to false, and the binding is configured to use Windows as a client credential type, the service account must be associated with a Service Principal Name (SPN). To do this, run the service under the NETWORK SERVICE account, or LOCAL SYSTEM account. Alternatively, use the SetSpn.exe tool to create an SPN for the service account. In either case, the client must use the correct SPN in the <servicePrincipalName> element, or by using the EndpointAddress constructor.



一旦您配置了运行服务的 SPN,您的 WSDL 应该显示 SPN 而不是 UPN,然后您必须修改您的客户端,以便: EndpointIdentity.CreateSpnIdentity("service_spn_name")
更新:

以下命令应正确配置 SPN:
setspn -A YourSvc/host.server.com domain\AppPoolAcccountName
  • YourSvc = 标识您的 svc 的名称
  • host.server.com = 托管您的服务的服务器的完全限定主机名

  • 请参阅 setspn 的文档

    关于wcf - 如何通过负载均衡器将 wsHttpBinding 与消息安全性结合使用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44811724/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com