views:

230

answers:

1

These scenarios work in their pieces. Its when i put it all together that it breaks.

I have a WCF service using netTCP that uses impersonation to get the callers ID (role based security will be used at this level)

on top of this is a WCF service using basicHTTP with TransportCredientialOnly which also uses impersonation

I then have a client front end that connects to the basicHttp.

the aim of the game is to return the clients username from the netTCP service at the bottom - so ultimatley i can use role based security here.

each service is on a different machine - and each service works when you remove any calls they make to other services when you run a client for them both locally and remotley. IE the problem only manifests when you jump accross more than one machine boundary.

IE the setup breaks when i connect each part together - but they work fine on their own.

I also specify

[OperationBehavior(Impersonation = ImpersonationOption.Required)] in the method and

have IIS setup to only allow windows authentication (actually i have ananymous enabled still, but disabling makes no difference)

This impersonation works fine in the scenario where i have a netTCP Service on Machine A with a client with a basicHttp service on machine B with a clinet for the basicHttp service also on machine B ... however if i move that client to any machine C i get the following error:

The exception is 'The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:10:00'' the inner message is 'An existing connection was forcibly closed by the remote host'

Am beginning to think this is more a network issue than config ... but then im grasping at straws ...

the config files are as follows (heading from the client down to the netTCP layer)

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="basicHttpBindingEndpoint" closeTimeout="00:02:00"
                    openTimeout="00:02:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
                    allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                    useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="UserName" algorithmSuite="Default" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://panrelease01/WCFTopWindowsTest/Service1.svc"
                binding="basicHttpBinding" bindingConfiguration="basicHttpBindingEndpoint"
                contract="ServiceReference1.IService1" name="basicHttpBindingEndpoint" 
 behaviorConfiguration="ImpersonationBehaviour" />
        </client>
  <behaviors>
   <endpointBehaviors>
    <behavior name="ImpersonationBehaviour">
     <clientCredentials>
      <windows allowedImpersonationLevel="Impersonation"/>
     </clientCredentials>
    </behavior>
   </endpointBehaviors>
  </behaviors>
    </system.serviceModel>
</configuration>

the service for the client (basicHttp service and the client for the netTCP service)

<?xml version="1.0" encoding="UTF-8"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="netTcpBindingEndpoint" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
          hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
          maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="Transport">
            <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
            <message clientCredentialType="Windows" />
          </security>
        </binding>
      </netTcpBinding>
  <basicHttpBinding>
   <binding name="basicHttpWindows">
    <security mode="TransportCredentialOnly">
     <transport clientCredentialType="Windows"></transport>
    </security>
   </binding>
  </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="net.tcp://5d2x23j.panint.com/netTCPwindows/Service1.svc"
    binding="netTcpBinding" 
    bindingConfiguration="netTcpBindingEndpoint"
    contract="ServiceReference1.IService1" 
    name="netTcpBindingEndpoint"
    behaviorConfiguration="ImpersonationBehaviour">
        <identity>
          <dns value="localhost" />
        </identity>
      </endpoint>
    </client>
    <behaviors>
  <endpointBehaviors>
   <behavior name="ImpersonationBehaviour">
    <clientCredentials>
     <windows allowedImpersonationLevel="Impersonation" allowNtlm="true"/>
    </clientCredentials>
   </behavior>
  </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="WCFTopWindowsTest.basicHttpWindowsBehaviour">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
   <services>
    <service name="WCFTopWindowsTest.Service1"
       behaviorConfiguration="WCFTopWindowsTest.basicHttpWindowsBehaviour">
     <endpoint address=""
      binding="basicHttpBinding"
      bindingConfiguration="basicHttpWindows"
      name ="basicHttpBindingEndpoint"
      contract ="WCFTopWindowsTest.IService1">

     </endpoint>      
   </service>       
   </services>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
        <directoryBrowse enabled="true" />
  </system.webServer>

</configuration>

then finally the service for the netTCP layer

<?xml version="1.0" encoding="UTF-8"?>
<configuration>

  <system.web>
   <authentication mode="Windows"></authentication>
   <authorization>
    <allow roles="*"/>
   </authorization>
    <compilation debug="true" targetFramework="4.0" />
        <identity impersonate="true" />
  </system.web>
  <system.serviceModel>
   <bindings>
    <netTcpBinding>
     <binding name="netTCPwindows">
      <security mode="Transport">
       <transport clientCredentialType="Windows"></transport>
      </security>
     </binding>
    </netTcpBinding>
   </bindings>
   <services>
    <service behaviorConfiguration="netTCPwindows.netTCPwindowsBehaviour" name="netTCPwindows.Service1">
     <endpoint address="" bindingConfiguration="netTCPwindows" binding="netTcpBinding" name="netTcpBindingEndpoint" contract="netTCPwindows.IService1">
      <identity>
       <dns value="localhost" />
      </identity>
     </endpoint>  
     <endpoint address="mextcp" binding="mexTcpBinding" contract="IMetadataExchange"/>
     <host>
      <baseAddresses>     
       <add baseAddress="net.tcp://localhost:8721/test2" />
      </baseAddresses>
     </host>
    </service>       
   </services>   
    <behaviors>  
      <serviceBehaviors>
        <behavior name="netTCPwindows.netTCPwindowsBehaviour">  

          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="false" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
        <directoryBrowse enabled="true" />
  </system.webServer>

</configuration>
+1  A: 

If you need to make a more than one hop, you're going to need to enable delegation for that occur. You can get more information on that here.

That being said, if all you need to do is determine the role of a user that calls the backend service (netTcp), you don't necessarily need impersonation as the TokenImpersonationLevel of the WindowsIdentity should only need to be Information in order to determine role membership. In this case, you would only need to ensure impersonation was taking place in the middle-tier (basicHttp).

MattK
Thankyou for the info. I do need more than just their authorization info as the data can come from multiple sources - some of which are out of my control. the point of having access to the role info is so that I can implement declarative role based security. Ie I am trying to make my backed and independant of the security implementatino as i can. Given a +1 as the info was insightful :D
John Nicholas