Search code examples
c#wcfkerberoswebhttpbinding

Connect a self-hosted WCF-Service via WebHttpBinding fails in Kerberos-Mode

I have a self-hosted WCF service that is accessible using WebHttpBinding. This service should get a kerberos token from the internet explorer on the client and then he should impersonate with this token to access an file server via a network share on an other server.

Like this chain: 

IE (Client) -> WCF-Service (BI-Server) -> impersonate -> access network share on file server

But IE presents a login dialog if I change the ClientCredentialType or add an ServiceAuthenticationBehavior with Kerberos settings (401 Unauthorized).

With NTLM I can access the WCF service and impersonate but the access to the file server leads to an UnauthorizedAccessException.

The same server has also a NetTcpBinding with Kerberos which works fine.

What am I doing wrong?

Delegation for Kerberos (all services) is activated on the BI server.

  • ADS-Functional Level is 2012
  • File server is a Windows Server 2003
  • WCF/IIS-Host is a Windows Server 2012 R2
  • Client is a Windows 8, IE 10

Now the code for the channel:

var listenUrl =  "http://0.0.0.0:8735";

var bind = new WebHttpBinding(WebHttpSecurityMode.TransportCredentialOnly)
{
         Security = {Transport = {ClientCredentialType = HttpClientCredentialType.InheritedFromHost}},
         TransferMode = TransferMode.StreamedResponse
};

var host = new WebServiceHost(typeof(C_SIS), new Uri(listenUrl));
host.AddServiceEndpoint(typeof(IW_SIS), bind, "").Behaviors.Add(new WebHttpBehavior());

ServiceAuthenticationBehavior sab = null;
sab = host.Description.Behaviors.Find<ServiceAuthenticationBehavior>();
if (sab == null)
{
         sab = new ServiceAuthenticationBehavior();
         sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
         host.Description.Behaviors.Add(sab);
}
else
{
         sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
}

host.UnknownMessageReceived += new EventHandler<UnknownMessageReceivedEventArgs>(UnbekannterRecv);
host.Open();
Solution

  • At first, check that your service run with a Domain-User. Then you must set an SPN (Service Principal Name) for this User.

    setspn -s http\wcfHostMachineName:PORT DOAMIN\User
setspn -s http\wcfHostMachineName.FULLDomain.Quantifier:PORT DOAMIN\User

    Clear all Kerberos-Tokens on your client with

    klist -purge

    Try it. If it works -> fine. But if not open your ADS-User-Configuration and delete all http-SPN's without port form the wcfHost, not the User! The wcfHost dosent need seperate SPN's.