所提供的是一个使用HttpClientCredentialType.Windows运行,并强制用户通过Kerberos进行身份验证的WCF REST服务。
private static void Main(string[] args)
{
Type serviceType = typeof (AuthService);
ServiceHost serviceHost = new ServiceHost(serviceType);
WebHttpBinding binding = new WebHttpBinding();
binding.Security.Mode = WebHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
ServiceEndpoint basicServiceEndPoint = serviceHost.AddServiceEndpoint(typeof(IAuthService), binding, "http://notebook50:87");
basicServiceEndPoint.Behaviors.Add(new WebHttpBehavior());
Console.WriteLine("wcf service started");
serviceHost.Open();
Console.ReadLine();
}
public class AuthService : IAuthService
{
public List<string> GetUserInformation()
{
List<string> userInfo = new List<string>();
userInfo.Add("Environment.User = " + Environment.UserName);
userInfo.Add("Environment.UserDomain = " + Environment.UserDomainName);
if (OperationContext.Current != null && OperationContext.Current.ServiceSecurityContext != null)
{
userInfo.Add("WindowsIdentity = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name);
userInfo.Add("Auth protocol = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.AuthenticationType);
}
else
{
userInfo.Add("WindowsIdentity = empty");
}
WebOperationContext.Current.OutgoingResponse.ContentType = "text/plain";
return userInfo;
}
}
[ServiceContract]
public interface IAuthService
{
[OperationContract]
[WebInvoke(Method = "GET", ResponseFormat = WebMessageFormat.Json, UriTemplate = "test/")]
List<string> GetUserInformation();
}
当我将此作为控制台应用程序运行,并从另一台计算机的Internet Explorer中打开
http://notebook50:87/test/
网站时,会收到“坏请求”的响应。
我确实启用了kerberos日志记录,并显示了KDC_ERR_PREAUTH_REQUIRED。我可以通过创建一个Windows服务并在“Local System”帐户下运行它来解决这个问题。 在这种情况下,客户端能够进行身份验证。
问题:一个用户(运行此wcf服务的用户)需要什么权限/设置才能获得与应用程序在本地系统下作为Windows服务运行时相同的行为? 这是否与服务原则名称有关?