locked
WCF with integrated Windows Authentication does not connect to the DB with Client Credentials RRS feed

  • Question

  • Hi,

    We've deployed a WCF DataService to our IIS6/Win2003 box.  When the service tries to connect to the SqlServer backend  (using Integrated Security=True) it seems to lose the Windows Credentials of the calling user and throws the exception "Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON"

     This has been infuriating the team for days now. We've tried every concievable variation on configuration and we have tried all suggestions from other forums. All to no avail.

    If anyone can advise further, much appreciated.

    In more detail:

    Client = (IE6 and IE8)

    WebServer =(IIS6/Win2003). Wcf service running under domain service account in the app pool with SPNs set up (Anonymous Authentication checked )

    Database - Win 2003/SqlServer 2005 with SPNs set up and tested

    When we attach to our code we can confirm that the Client WindowsIdentity is correctly passed/set before the database call.

    >SqlConnection conn = new SqlConnection(connectionString);

    >conn.Open(); // Exception here

    The full exception stack is:

    System.Data.SqlClient.SqlException was caught

      Message="Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'."

      Source=".Net SqlClient Data Provider"

      ErrorCode=-2146232060

      Class=14

      LineNumber=65536

      Number=18456

      Procedure=""

      Server="AMS1-S-06692.europe.shell.com\\DEV01"

      State=1

      StackTrace:

           at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)

           at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

           at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

           at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)

           at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)

           at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)

           at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)

           at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)

           at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)

           at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)

           at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)

           at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)

           at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)

           at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)

           at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)

           at System.Data.SqlClient.SqlConnection.Open()

           at WcfKerberosTest.Service1.InitDatabase(String ServerName, String DataBaseName) in E:\GMc_LocalSourceCode\Tools\TestKerberos\WcfKerberosTest\Service1.svc.cs:line 59

           at WcfKerberosTest.Service1.GetData(Int32 value) in E:\GMc_LocalSourceCode\Tools\TestKerberos\WcfKerberosTest\Service1.svc.cs:line 24

      InnerException:

    The web.config is

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

      <configSections/>

      <appSettings>

        <add key="LimitStoreServer" value="AMS1-S-06692.europe.shell.com\DEV01"/>

        <add key="LimitStoreDatabase" value="LimitStoreV6_2"/>

      </appSettings>

      <system.diagnostics>

        <trace autoflush="true" />

        <sources>

          <source name="System.ServiceModel"

                  switchValue="Information, ActivityTracing"

                  propagateActivity="true">

            <listeners>

              <add name="sdt"

                  type="System.Diagnostics.XmlWriterTraceListener"

                  initializeData= "SdrConfigExample.e2e" />

            </listeners>

          </source>

        </sources>

      </system.diagnostics>

      <system.net>

        <defaultProxy>

          <proxy autoDetect="false" />

        </defaultProxy>

      </system.net>

      <system.serviceModel>

    <diagnostics wmiProviderEnabled="false" performanceCounters="Off">

            <messageLogging logEntireMessage="true" logMalformedMessages="false"

               logMessagesAtServiceLevel="false" logMessagesAtTransportLevel="false" />

         </diagnostics>

        <bindings>

          <basicHttpBinding>

            <binding name="BasicEndpoint" closeTimeout="00:03:00" openTimeout="00:03:00"

                receiveTimeout="00:10:00" sendTimeout="00:03:00" allowCookies="false"

                bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

                maxBufferSize="1000000" maxBufferPoolSize="524288" maxReceivedMessageSize="1000000"

                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"

                useDefaultWebProxy="true">

              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

                  maxBytesPerRead="4096" maxNameTableCharCount="16384" />

              <security mode="TransportCredentialOnly">

                <transport clientCredentialType="Windows"  proxyCredentialType="Windows"

                        realm="" />

              </security>

            </binding>

          </basicHttpBinding>

        </bindings>

        <services>

          <service name="WcfKerberosTest.Service1" behaviorConfiguration="DefaultBehavior">

            <endpoint address=""

              binding="basicHttpBinding" bindingConfiguration="BasicEndpoint" name="BasicEndpoint"

            contract="WcfKerberosTest.IService1" >

            </endpoint>

            <endpoint address="mex" binding="basicHttpBinding" name="MexEndpoint"

                     contract="IMetadataExchange" />

          </service>

        </services>

        <behaviors>

          <serviceBehaviors>

            <behavior name="DefaultBehavior">

              <serviceDebug includeExceptionDetailInFaults="true"/>

              <serviceMetadata httpGetEnabled="true"/>

             <serviceCredentials>

                <windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="true" />

                <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />

              </serviceCredentials>

              <serviceAuthorization principalPermissionMode="UseWindowsGroups"

                impersonateCallerForAllOperations="true" />

              <serviceSecurityAudit auditLogLocation="Default" serviceAuthorizationAuditLevel="SuccessOrFailure"

                messageAuthenticationAuditLevel="SuccessOrFailure" />

            </behavior>

          </serviceBehaviors>

        </behaviors>

      </system.serviceModel>

    </configuration>

    Help much appreciated !

    Regards

    Wednesday, April 4, 2012 10:02 AM

All replies