none
WCF RESTful delegation to multiple services RRS feed

  • Question

  • Hello everyone,

    I am in the following situation. I have an IIS-hosted WCF RESTful service (webHttpBinding) on one server (IIS 8.5) with Windows authentication. This service calls two other services that are self-hosted on another server (wsHttpBinding). These two services are part of one console application that runs under a domain account.

    I want to be able to delegate my Windows credentials from a custom console application through my IIS-hosted web service to the other two services. The problem is that only the first services gets my credentials, while the second one gets the machine name. Here is an example:

    // IIS-hosted service
    public object Test()
    {
     var client1 = new SelfHostedService1();
     string status1 = client1.Ping();
    
     var client2 = new SelfHostedService2();
     string status2 = client2.Ping();
    
     return { status1, status2 };
    }
    status1 is OK, while status2 is "MACHINENAME$" does not have permissions to access the service. If I change the order of client1 and client2, the first request is successful and the second one - permission error. If I call twice client1.Ping() it works perfect. The server where the IIS-hosted service lives on has delegation enabled. I have configured SPNs and debugging with Network Monitor does not reveal any Kerberos errors. What could be the reasons for this behavior?


    Freedom Has Its Own Style


    • Edited by Boyan Mihaylov Monday, November 9, 2015 3:08 PM Added some details
    Monday, November 9, 2015 2:55 PM

Answers

  • I found the solution very luckily. I lied a bit in my example above. What I was doing was actually the following:

    client1.PingAsync();
    ...
    client2.PingAsync();
    When calling the services asynchronously, apparently the windows context was not preserved the second time. There are two solutions: either call the services synchronously or set alwaysFlowImpersonationPolicy to true in the configuration.


    Freedom Has Its Own Style

    Monday, November 9, 2015 3:26 PM

All replies

  • I found the solution very luckily. I lied a bit in my example above. What I was doing was actually the following:

    client1.PingAsync();
    ...
    client2.PingAsync();
    When calling the services asynchronously, apparently the windows context was not preserved the second time. There are two solutions: either call the services synchronously or set alwaysFlowImpersonationPolicy to true in the configuration.


    Freedom Has Its Own Style

    Monday, November 9, 2015 3:26 PM
  • Hi Boyan Mihaylov,

    Thanks for sharing your solution.

    Best Regards,

    Grady

    Tuesday, November 10, 2015 3:13 AM
    Moderator