WCF with integrated Windows Authentication does not connect to the DB with Client Credentials

Question

Hi,

We've deployed a WCF DataService to our IIS6/Win2003 box.  When the service tries to connect to the SqlServer backend  (using Integrated Security=True) it seems to lose the Windows Credentials of the calling user and throws the exception "Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON"

 This has been infuriating the team for days now. We've tried every concievable variation on configuration and we have tried all suggestions from other forums. All to no avail.

If anyone can advise further, much appreciated.

In more detail:

Client = (IE6 and IE8)

WebServer =(IIS6/Win2003). Wcf service running under domain service account in the app pool with SPNs set up (Anonymous Authentication checked )

Database - Win 2003/SqlServer 2005 with SPNs set up and tested

When we attach to our code we can confirm that the Client WindowsIdentity is correctly passed/set before the database call.

>SqlConnection conn = new SqlConnection(connectionString);

>conn.Open(); // Exception here

The full exception stack is:

System.Data.SqlClient.SqlException was caught

  Message="Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'."

  Source=".Net SqlClient Data Provider"

  ErrorCode=-2146232060

  Class=14

  LineNumber=65536

  Number=18456

  Procedure=""

  Server="AMS1-S-06692.europe.shell.com\\DEV01"

  State=1

  StackTrace:

       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)

       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)

       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)

       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)

       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)

       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)

       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)

       at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)

       at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)

       at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)

       at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)

       at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)

       at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)

       at System.Data.SqlClient.SqlConnection.Open()

       at WcfKerberosTest.Service1.InitDatabase(String ServerName, String DataBaseName) in E:\GMc_LocalSourceCode\Tools\TestKerberos\WcfKerberosTest\Service1.svc.cs:line 59

       at WcfKerberosTest.Service1.GetData(Int32 value) in E:\GMc_LocalSourceCode\Tools\TestKerberos\WcfKerberosTest\Service1.svc.cs:line 24

  InnerException:

The web.config is

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

  <configSections/>

  <appSettings>

    <add key="LimitStoreServer" value="AMS1-S-06692.europe.shell.com\DEV01"/>

    <add key="LimitStoreDatabase" value="LimitStoreV6_2"/>

  </appSettings>

  <system.diagnostics>

    <trace autoflush="true" />

    <sources>

      <source name="System.ServiceModel"

              switchValue="Information, ActivityTracing"

              propagateActivity="true">

        <listeners>

          <add name="sdt"

              type="System.Diagnostics.XmlWriterTraceListener"

              initializeData= "SdrConfigExample.e2e" />

        </listeners>

      </source>

    </sources>

  </system.diagnostics>

  <system.net>

    <defaultProxy>

      <proxy autoDetect="false" />

    </defaultProxy>

  </system.net>

  <system.serviceModel>

<diagnostics wmiProviderEnabled="false" performanceCounters="Off">

        <messageLogging logEntireMessage="true" logMalformedMessages="false"

           logMessagesAtServiceLevel="false" logMessagesAtTransportLevel="false" />

     </diagnostics>

    <bindings>

      <basicHttpBinding>

        <binding name="BasicEndpoint" closeTimeout="00:03:00" openTimeout="00:03:00"

            receiveTimeout="00:10:00" sendTimeout="00:03:00" allowCookies="false"

            bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

            maxBufferSize="1000000" maxBufferPoolSize="524288" maxReceivedMessageSize="1000000"

            messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"

            useDefaultWebProxy="true">

          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

              maxBytesPerRead="4096" maxNameTableCharCount="16384" />

          <security mode="TransportCredentialOnly">

            <transport clientCredentialType="Windows"  proxyCredentialType="Windows"

                    realm="" />

          </security>

        </binding>

      </basicHttpBinding>

    </bindings>

    <services>

      <service name="WcfKerberosTest.Service1" behaviorConfiguration="DefaultBehavior">

        <endpoint address=""

          binding="basicHttpBinding" bindingConfiguration="BasicEndpoint" name="BasicEndpoint"

        contract="WcfKerberosTest.IService1" >

        </endpoint>

        <endpoint address="mex" binding="basicHttpBinding" name="MexEndpoint"

                 contract="IMetadataExchange" />

      </service>

    </services>

    <behaviors>

      <serviceBehaviors>

        <behavior name="DefaultBehavior">

          <serviceDebug includeExceptionDetailInFaults="true"/>

          <serviceMetadata httpGetEnabled="true"/>

         <serviceCredentials>

            <windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="true" />

            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />

          </serviceCredentials>

          <serviceAuthorization principalPermissionMode="UseWindowsGroups"

            impersonateCallerForAllOperations="true" />

          <serviceSecurityAudit auditLogLocation="Default" serviceAuthorizationAuditLevel="SuccessOrFailure"

            messageAuthenticationAuditLevel="SuccessOrFailure" />

        </behavior>

      </serviceBehaviors>

    </behaviors>

  </system.serviceModel>

</configuration>

Help much appreciated !

Regards

Answer 1

Hi Gordon,

Welcome!

Would you please show your connection string with us? Here is a blog about Securing OData services using Basic Authentication, hope it could help you.

Have a nice day.

---

Alan Chen[MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 2

Alan

Here is the connection string:

Data Source=AMS1-S-06692.europe.shell.com\DEV01; Initial Catalog=LimitStoreV6_2; Integrated Security=True; MultipleActiveResultSets=True;Application Name=LimitStoreV2‏

Also some extra information is this. We have set up an equivalent aspx page on the same machine/hostheader. It does successfully authenticate / delegate and connect to the db. So the question is, why not the Wcf service. Regarding Basic Authentication, yes I have dumped that configuration in the original post, however we have tried every single variation too, using wsHttpBinding too. Still the same, just does not want to use Kerberos for delegation.

So why is the wcf service refusing to use Kerberos ?

1. Image 1 event log from using http://websvc1-int-wrm32-01.sharing.shell.com/TestKerberos/Default.aspx

2. Image 2 Event log from using http://websvc1-int-wrm32-01.sharing.shell.com/WcfTestKerberos/Service1.svc

 m

So

Answer 3

Hi,

To tell your truth, I'm not very familiar with IIS, But I found a blog here about how to let WCF transport by Kerberos:

http://blogs.msdn.com/b/wenlong/archive/2006/05/18/wcf-impersonation-for-hosted-services.aspx

Hope it can help you.

Have a nice day.

---

Alan Chen[MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.