none
WCF Service over Https RRS feed

  • General discussion

  • Hi,

    I have a wcf service hosted on the IIS 8.5. The service is currently implemented with the Windows authentication with AD group and uses https protocol with domain name(lets say ABC). This service is running under a service user svcAppA. Now I want this service to be available for kerberos authentication from the client end.

    So I have done the following stuffs based on the various microsoft links.

    1. Created a SPN name SetSPN -i HTTPS/ABC domain\svcAppA on the domain level in AD.

    2. Added <identity> tag

    <identity>
                <servicePrincipalName value="HTTPS/ABC" />
              </identity>

    3. Under IIS, Sites->AppA->Authentication-->Advanced Settings--> Unchecked 'Enable kernel-mode Authentication'

    4. Under IIS, Sites->AppA->Authentication-->Providers--> Added 'Negotiate' and moved at level2. level1 I have 'NTLM'.

    5. Under IIS, Sites->AppA->Configuration Editor. I have the following setting under 'system.webServer/security/authentication/windowsAuthentication'

    useKernalMode=false

    useAppPoolidentity=true.

    6. Added a DisableLoopbackCheck =1 under the regedit. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

    I have tried these steps but still when the client calls the web service through kerberos token getting an 401 error.

    ERROR: HTTP Error 401. The requested resource requires user authentication

    Help me if I'm missing something or doing some wrong setting is IIS. I'm a newbie to kerberos.

    Friday, September 2, 2016 10:37 AM