本文介绍了WCF NetTcpBinding的安全性 - 它是如何工作的?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


我遇到的WCF ...

I am encountering the following problems trying to work through the quagmire of settings in WCF...

我创建使用NetTcp绑定一个WCF客户端 - 服务器的服务。我没有对安全设置的更改并在一台机器上运行时,它的工作原理非常漂亮。然而,当我跑我的客户从另一台机器就抱怨说,服务器不喜欢被发送的安全证书。

I created a WCF client-server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didn't like the security credentials that were sent.

我理解的现在的那个NetTCP被固定在默认情况下,我的客户会一直传递错误的安全细节 - 即Windows的用户名和密码(或某种形式的域名认证)来我的服务器,因为它们没有它也不会喜欢同一个域中运行。

I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the Windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked.


However, what I don't understand is as follows:

我还没有指定的任何安全在我的绑定? - 不标准设置指望Windows用户名或密码发送

I haven't specified any security in my binding - does the standard settings expect a Windows user name or password to be sent?

我没有安装在我的服务器上的任何证书 - 据我所知,NetTCP绑定需要某种形式的公共密钥来保护凭据 - 然而这似乎在客户端和服务器均在同一台机器上工作 - 是如何数据获取加密?或者想要它作为WCF知道这是在同一台机器上,也不需要加密?

I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed?


I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there a way to encrypt my data without a certificate?


Finally... what is the difference between Transport and Message security?

要检查我的理解(原谅的场景!)消息安全性是一样,如果我派从某甲向某乙,我带$ C $一个字母C我的手写作,以保证如果有人拦截它,他们不能读它?交通运输安全是如果我决定我都信武装运输发送,这样没有人可以一路上得到它?

To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way?


Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I don't want to purchase a certificate and the data isn't that sensitive anyway so it's just for my own knowledge.



The default client credential type for NetTcpBinding is Windows Authentication. For Windows Authentication to work both client and server must be in the same domain, or mutually trusting domains (which in your case you do not have).


If both client and server were on the same domain, WCF would handle the mechanics of Windows Authentication "behind the scenes". And when both client and server are on the same machine they are effectively within the same domain, so Windows can use its own mechanisms to handle the encryption and decryption. It will only do this within mutually trusting domains, though.


If you don't have mutually trusting client and server domains, then the client and server must have some other way to determine if they trust each other with their keys. That's where certificates come in. The client and the server have their own certificates (or the server can issue the client a certificate).

运输安全是像加密壳外以及内。缺点是,如果你要通过信封的人自己组织之外,他们需要一个解密密钥只知道那里的信封应该去 - 现在他们可以在信封也可以参考消息。在另一方面,运输安全是快 - 它需要较少的安全开销数据得到与您的信封一起传递

Transport security is like encrypting the outside of the envelope as well as the inside. The downside is if you have to pass the envelope to someone outside your own organization, they need a decryption key just to know where the envelope is supposed to go--now they can read the message in the envelope also. On the other hand, transport security is faster--it requires less security overhead data getting passed along with your envelope.


Message security encrypts your message, but the envelope can be read by the postal workers (the internet and its routers). Only the source and the destination have the keys to decrypt the message, but the intermediaries can properly route your message.


To summarize: to use encryption over the NetTcpBinding both client and server must be within a domain (or mutually trusting domains) or you must have a key exchanging certificate.

编辑:有人问我一些例如code - 这里是在XAML绑定元素。它通常会被放置在NetTcpBinding的元件内。

I was asked for some example code--here is a binding element in XAML. It would normally be placed within a netTcpBinding element.

   <binding name="Secure" listenBacklog="4000" receiveTimeout="00:20:00" sendTimeout="00:20:01" maxReceivedMessageSize="2147483647" maxConnections="200" portSharingEnabled="true">
      <!-- ~2 GB -->
      <readerQuotas maxStringContentLength="2147483647"/>
      <!-- ~2 GB max string content length -->
      <security mode="Message">
        <transport clientCredentialType="None" protectionLevel="EncryptAndSign"/>
        <message clientCredentialType="None"/>


The important part is the security element. For transport security one would change the mode attribute to "Transport". More than likely the clientCredentialType would not be "None" but rather "Certificate", "Ntlm", or "Windows" depending on the context.

这篇关于WCF NetTcpBinding的安全性 - 它是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-04 09:04