WCF and passing windows credentials

Question

Hi there,

I have a website hosted on ServerA which runs using an App Pool using a special user accout with domain privilages to access our database. In the config file of the website I specify:

    <identity impersonate="true" />

I then have a service which is also on ServerA and hosted in a console app programmatically (i.e. no config file) like below.

Uri uri = new Uri("net.tcp://ServerA:9900/Service/");

ServiceHost host = new ServiceHost(typeof(Service1), uri);

NetTcpBinding binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

ServiceEndpoint serviceEndpoint = host.AddServiceEndpoint(typeof(IService1), binding, uri);
EndpointAddress myEndpointAddress = new EndpointAddress(uri, EndpointIdentity.CreateSpnIdentity("MyspnName"));
serviceEndpoint.Address = myEndpointAddress;

host.Open();

When I open a browser on my local machine and go to the website the website tries to connect to the WCF server and returns the error "The request for security token could not be satisfied because authentication failed."

The website uses the following code to connect to the service:

Uri uri = new Uri("net.tcp://ServerA:9900/Service/");

NetTcpBinding binding = new NetTcpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;

EndpointIdentity epid = EndpointIdentity.CreateSpnIdentity("MyspnName");
EndpointAddress endPoint = new EndpointAddress(uri, epid);
//EndpointAddress endPoint = new EndpointAddress(uri);

ChannelFactory<IService1> channel = new ChannelFactory<IService1>(binding, endPoint);
channel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
IService1 service = channel.CreateChannel();

service.PrintMessage("Print this message!");

For PrintMessage, the method I'm calling, I tried [OperationBehavior(Impersonation = ImpersonationOption.Required)] and .. .Allowed .. but the error is the same.

When I run the website locally using LocalHost there is no error and it works perfect. And also when I change identity impersonate="false" in my web.config it runs but my windows credentials don't get passed into the WCF service which is the whole point.

Any ideas what I'm missing? Pls no general links, I've probably already read it!

thanks a lot

Answer 1

If you use Windows authentication, you can grab the identity of the caller in your service code here:

 ServiceSecurityContext.Current.WindowsIdentity

This WindowsIdentity contains things like the ".Name" property, the ".Groups" property of all groups the user belongs to, and more.

If the WindowsIdentity should be NULL, then you don't really have Windows authentication happening.

Are you hosting your WCF service in IIS? Which version - IIS7 is the first one to support net.tcp binding.

What if you self-host your service in a console app - does Windows authentication work then? In that case, it would most likely be a IIS7 config issue of sorts.

Marc

Answer 2

I suspect this is because your service account is not trusted for delegation. It can therefore impersonate the caller for access to local resources, but not for calling out over TCP. Google "Trusted for delegation" for more info.