How to configure Windows authentication for custom binding in WCF service?

问题

I need to use Windows authentication in my application along with claim-based authorization using Windows Identity Foundation. I have used following configuration for my service.

<system.identityModel>
   <identityConfiguration>
      <claimsAuthorizationManager type="Framework.Authorization.AuthorizationManager, ClaimsAuthorizationService"/>
   </identityConfiguration>
</system.identityModel>

<system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="CustomTcpBinding" maxConnections="50" openTimeout="01:20:00" receiveTimeout="20.00:00:00" sendTimeout="00:05:00" closeTimeout="01:20:00">
          <security authenticationMode="Kerberos" />
          <reliableSession/>
          <windowsStreamSecurity protectionLevel="None"/>
          <tcpTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
        </binding>
      </customBinding>
    </bindings>

    <services>
        <service behaviorConfiguration="Framework.Authorization.DummyRebServiceBehavior" name="Framework.Authorization.DummyRebService">
            <endpoint address="IDummyRebService" 
                      binding="customBinding" bindingConfiguration="CustomTcpBinding" 
                      contract="Framework.Authorization.IDummyRebService" 
                      name="IDummyRebService"/>
            <endpoint address="mex" 
                      binding="mexTcpBinding"
                      contract="IMetadataExchange"/>
            <host>
                <timeouts closeTimeout="00:00:01"/>
                <baseAddresses>
                    <add baseAddress="net.tcp://localhost:8234//DummyRebService"/>
                </baseAddresses>
            </host>
        </service>
    </services>

    <behaviors>
        <serviceBehaviors>
            <behavior name="Framework.Authorization.DummyRebServiceBehavior">
                <serviceCredentials useIdentityConfiguration="true" />
                <serviceAuthorization principalPermissionMode="Always" />  
                <serviceMetadata httpGetEnabled="True"/>
                <dataContractSerializer maxItemsInObjectGraph="1000000000"/>
                <serviceDebug includeExceptionDetailInFaults="True"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

I encounter some or other problem as I am working by trial and error but can't find a sure shot solution. Currently the service fails to start because of "Contract required two way, but binding doesn't support..." error. Apart from that previously I was getting userName (authorizationContext.Principal.Identity.Name) as null in the CheckAccess method of AuthorizationManager (derived from ClaimsAuthorizationManager) whenever I try to add the service in WCF Test Client.

Basically I need to configure service such that the WCF service gets Windows Principal when-ever it gets call from client.

Any help would be appreciated. I can provide more details if needed.

回答1:

After much trial and error, the following configuration has worked for me.

<configuration>
    <configSections>
      <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    </configSections>

      <system.identityModel>
        <identityConfiguration>
          <claimsAuthenticationManager type = "Framework.Services.Security.PrincipalTransformer, ClaimsAuthorizationService"/>
          <claimsAuthorizationManager type="Framework.Services.Security.AuthorizationManager, ClaimsAuthorizationService"/>
        </identityConfiguration>
      </system.identityModel>

    <system.serviceModel>
      <bindings>
        <customBinding>
          <binding name="CustomTcpBinding" closeTimeout="01:20:00" openTimeout="00:00:30"
            receiveTimeout="20.00:00:00" sendTimeout="00:05:00">
            <reliableSession />
            <windowsStreamSecurity protectionLevel="None" />
            <tcpTransport maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
          </binding>
        </customBinding>
      </bindings>

      <services>
        <service behaviorConfiguration="Framework.Authorization.DummyRebServiceBehavior" name="Framework.Authorization.DummyRebService">
          <endpoint address="IDummyRebService"
                    binding="customBinding" bindingConfiguration="CustomTcpBinding"
                    contract="Framework.Authorization.IDummyRebService"
                    name="IDummyRebService"/>
          <endpoint address="mex"
                    binding="mexTcpBinding"
                    contract="IMetadataExchange"/>
          <host>
            <timeouts closeTimeout="00:00:01"/>
            <baseAddresses>
              <add baseAddress="net.tcp://localhost:8234//DummyRebService"/>
            </baseAddresses>
          </host>
        </service>
      </services>

      <behaviors>
        <serviceBehaviors>
          <behavior name="Framework.Authorization.DummyRebServiceBehavior">
            <serviceSecurityAudit auditLogLocation="Application" messageAuthenticationAuditLevel="SuccessOrFailure" serviceAuthorizationAuditLevel="SuccessOrFailure"  suppressAuditFailure="True"/>
            <serviceCredentials useIdentityConfiguration="true"/>
            <serviceAuthorization principalPermissionMode="Always"/>
            <serviceMetadata httpGetEnabled="False"/>
            <dataContractSerializer maxItemsInObjectGraph="1000000000"/>
            <serviceDebug includeExceptionDetailInFaults="True"/>
          </behavior>
        </serviceBehaviors>
      </behaviors>
    </system.serviceModel>

    <startup>
      <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
    </startup>
   </configuration>

来源：https://stackoverflow.com/questions/19913048/how-to-configure-windows-authentication-for-custom-binding-in-wcf-service