Pass windows credentials when invoke wcf service from other wcf service
I have following problem:
I have two WCF Services both using basicHttpBinging defined as:
<binding name="DefaultBasicBinding" closeTimeout="01:00:00" openTimeout="01:00:00"
receiveTimeout="01:00:00" sendTimeout="01:00:00" maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
In web.config i have also that lines:
< authentication mode="Windows"/>
< serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
Then I have silverlight application which invoke ServiceNo1. On server side, service method is executed. In her body ServiceNo1 and ServiceNo2 are invoked as client.
ServiceNo1 client1 = new ServiceNo1();
client1.ExecuteNextMethod1();
ServiceNo2 client2 = new ServiceNo2();
client2.ExecuteNextMethod2();
And that works perfectly on locahost. When this is published on dev - problems starts.
When service methods are executed in method invoked by silverlight application, exception is thrown:
开发者_运维技巧Exception type:
System.ServiceModel.Security.MessageSecurityException
Message:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'.
The authentication header received from the server was 'Negotiate,NTLM'.
It's look like windows credentials are not passed.
Settings which are listed above are also on dev. Both servers (localhost & dev) have setted 'Only windows authentication' on IIS.
Anybody can't help me?
What's most likely happening is that on localhost your web-server is running under your credentials. On the Dev server, the web-server will be running under a different service account (e.g. the IIS application pool service for your application).
You're best solution will be to get the service account your application is running under authorised against the second service.
There are alternatives - use your user credentials as the service account in dev (I'm assuming this is not an option in a controlled environment), or impersonate your credentials on the server side (again - this is unlikely to be appropriate in a controlled environment).
EDIT The best option for you might be to impersonate the user's credentials. See this MSDN article for implementation. I'm not too familiar with Silverlight but you should be able to do something like:
using System.Security.Principal;
------------------------
WindowsImpersonationContext impersonationContext;
impersonationContext =
((.WindowsIdentity)HttpContext.User.Identity).Impersonate();
//Call your service here.
impersonationContext.Undo();
Note that you might encounter the Double-Hop problem, where Windows will not allow you to pass the users credentials from one server to the next - I would read the linked article for background.
精彩评论