WCF windows authentication security error

Question

Hi there,

i have some code that tries impersonate the callers windows security settings and then connect to another WCF service on a different machine

WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
using (callerWindowsIdentity.Impersonate())
{
    NetTcpBinding binding = new NetTcpBinding();
    binding.Security.Mode = SecurityMode.Message;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
    EndpointAddress endpoint = new EndpointAddress(new Uri("net.tcp://serverName:9990/TestService1"));
    ChannelFactory<WCFTest.ConsoleHost.IService1> channel = new ChannelFactory<WCFTest.ConsoleHost.IService1>(binding, endpoint);
    WCFTest.ConsoleHost.IService1 service = channel.CreateChannel();
    return service.PrintMessage(msg);
}

But I get the error: "the caller was not authenticated by the service" System.ServiceModel .... The request for security token could not be satisfied because authentication failed ...

The credentials I am trying to impersonate are valide windows credential for the box the service is on.

Any ideas why?

Answer 1

Impersonation from you service to the next is a tricky issue, known as "double-hop" issue.

I don't have a final answer for that (I typically avoid it by using an explicit service account for the service that needs to call another service).

BUT: you should definitely check out the WCF Security Guidance on CodePlex and search for "Impersonation" - there are quite a few articles there that explain all the ins and outs of impersonating an original caller and why it's tricky.

Marc

Answer 2

Agree with marc_s this is the double-hop problem.

You need to get the windows authentication all the way through, therefore:

• The request must be made in the context of a windows users
• IIS must be configured to use windows authentication
• Web.config must be set up for windows authentication with impersonate = true
• The user that your application pool is running as, must be allowed to impersonate a user. This is the usual place where the double-hop problem occurs.

There is a right called "Impersonate a client after authentication"

http://blogs.technet.com/askperf/archive/2007/10/16/wmi-troubleshooting-impersonation-rights.aspx

Answer 3

If you are sure you have the credentials right on both hops, the next thing that could be causing the issue is the lack of the EndpointDnsIdentity being set on the endpoint.

DnsEndpointIdentity identity = new DnsEndpointIdentity("localhost"); // localhost is default. Change if your service uses a different value in the service's config.
Uri uri = new Uri("net.tcp://serverName:9990/TestService1");
endpoint = new EndpointAddress(uri, identity, new AddressHeaderCollection());

Answer 4

In order to support your scenario, you need to have an understanding of how Protocol Transition and Constrained Delegation work. You will need to configure both Active Directory and your WCF service endpoint(s) to support this. Note the use of the Service Principal Name (SPN). Take a look at the following link and see if they help you. The article has a sample to demonstrate the complete end-to-end configuration required to make this work.

How To: Impersonate the Original Caller in WCF Calling from a Web Application