I have a self-hosted WCF service that is accessible using WebHttpBinding. This service should get a kerberos token from the internet explorer on the client and then he should impersonate with this token to access an file server via a network share on an other server.
Like this chain:
IE (Client) -> WCF-Service (BI-Server) -> impersonate -> access network share on file server
But IE presents a login dialog if I change the ClientCredentialType or add an ServiceAuthenticationBehavior with Kerberos settings (401 Unauthorized).
With NTLM I can access the WCF service and impersonate but the access to the file server leads to an UnauthorizedAccessException.
The same server has also a NetTcpBinding with Kerberos which works fine.
What am I doing wrong?
Delegation for Kerberos (all services) is activated on the BI server.
Now the code for the channel:
var listenUrl = "http://0.0.0.0:8735";
var bind = new WebHttpBinding(WebHttpSecurityMode.TransportCredentialOnly)
{
Security = {Transport = {ClientCredentialType = HttpClientCredentialType.InheritedFromHost}},
TransferMode = TransferMode.StreamedResponse
};
var host = new WebServiceHost(typeof(C_SIS), new Uri(listenUrl));
host.AddServiceEndpoint(typeof(IW_SIS), bind, "").Behaviors.Add(new WebHttpBehavior());
ServiceAuthenticationBehavior sab = null;
sab = host.Description.Behaviors.Find<ServiceAuthenticationBehavior>();
if (sab == null)
{
sab = new ServiceAuthenticationBehavior();
sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
host.Description.Behaviors.Add(sab);
}
else
{
sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
}
host.UnknownMessageReceived += new EventHandler<UnknownMessageReceivedEventArgs>(UnbekannterRecv);
host.Open();
At first, check that your service run with a Domain-User. Then you must set an SPN (Service Principal Name) for this User.
setspn -s http\wcfHostMachineName:PORT DOAMIN\User
setspn -s http\wcfHostMachineName.FULLDomain.Quantifier:PORT DOAMIN\User
Clear all Kerberos-Tokens on your client with
klist -purge
Try it. If it works -> fine. But if not open your ADS-User-Configuration and delete all http-SPN's without port form the wcfHost, not the User! The wcfHost dosent need seperate SPN's.
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加