none
Controlling Impersonation from a Linux Client RRS feed

  • Question

  • Hello,

    I currently see the documentation for Delegation for WCF here: https://msdn.microsoft.com/en-us/library/ff649252.aspx

    and understand that I can control impersonation for a windows client by setting the following in the config:

    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior">
                <clientCredentials>
                    <windows allowedImpersonationLevel="Impersonation" />
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>

    How can a Unix client that uses Kerberos specify similar settings to delegate its credentials?

    Any help would be appreciated.

    Thanks!


    Thursday, October 20, 2016 9:09 PM

All replies

  • Hi CaptainComicus,

    With above settings, did you get any error? Where did you host your service? Did you need to authenticate between WCF Service in Windows and WCF Client in Linux? If so, have you enabled Active Directory in Linux, and could you Linux user authenticate to Windows authentication? If not, I would suggest you look through below link to check the authentication between Windows and Linux.

    #Authenticate Linux Clients with Active Directory

    https://technet.microsoft.com/en-us/library/2008.12.linux.aspx

    After that, if you meet authentication error, I suggest you try the suggestion from below link.

    #Support non Active Directory based foreign realm identities with Kerberos auth

    https://github.com/dotnet/wcf/issues/30

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, October 21, 2016 2:16 AM

  • Hi Edward,

    I'm trying to authenticate between a WCF Service in windows and a Linux Client. I am currently using the third party Quest software tool - 'vastool' to generate kerberos tickets for authentication. Then it was simply a matter of using curl to invoke the webservice from Linux. This worked fine, until delegation was enabled on the server. Is there any setting required of the Linux client to control delegation, similar to how the windows client has behavior explicitly specified in its config?

    The ticket generated (krbtgt) on kinit currently does not have the ok-as-delegate flag set.  I do not know if this is the reason that delegation fails, but is there a similar setting available for a Linux client? My understanding is that the Linux client would need a similar mechanism like that of the windows client to control impersonation and inform the server that it's credentials can be delegated. 

    Thank you for your help!



    Friday, October 21, 2016 5:45 AM
  • Hi CaptainComicus,

    Have you checked the second link in my above reply?

    I am not familiar with community between Windows and Linux, I'm trying to involve some senior engineers into this issue and it will take some time. Your patience will be greatly appreciated.

    Sorry for any inconvenience and have a nice day!

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 24, 2016 1:40 AM
  • Hi Edward,

    I'm sorry for the delayed response. Yes, I have checked the second link, but I'm not entirely sure as to how relevant it is to my case, as I am still considerably new to this domain. I'm currently facing a scenario of unconditional delegation, with a Kerberos double hop in play.

    I'm currently trying to understand how it works for a windows client, so that I can figure out an analogy for Linux. Does WCF use kerberos as its authentication mechanism?

    Assuming that all settings are fine on the server side, if I were a windows client, I would need to set a flag 'allowedImpersonationLevel=delegation" in my config. I am assuming that when the client begins connecting to the server, this flag lets the KDC set the 'ok-as-delegate flag' on the TGT I receive, based upon the realm policy. This flag would then be forwarded to the WCF Server, which now detects based on the 'ticket' that it receives, that the client has permitted that its credentials be delegated, and then delegates the credentials.

    Please let me know if my understanding is incorrect.

    Thanks!






    Thursday, October 27, 2016 9:36 PM
  • Hi CaptainComicus,

    I have invoked some senior engineers, I will come back as soon as possible if I get any response from them.

    Sorry for any inconvenience, and thanks for your understanding.

    Best Regards,

    Edward 


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 31, 2016 3:17 AM
  • Hi CaptainComicus,

    I have a question. Have you created a SPN for the service account of the app pool that hosts the WCF application? Have you enabled Trust this user for delegation to any service
    (Kerberos only)
    for this service account on DC?

    You can also capture a network monitor trace to check why the delegation fails. 

    Zhiqing


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, November 9, 2016 12:18 PM
  • Hi Zhiqing,

    Yes, the SPN has been set up. Currently, in the delegation tab, it is set up for constrained delegation: Trust this computer for delegation to specified services only- Use any authentication protocol. 

    So I can explain the situation better:

    1. This is a cross realm scenario: a windows cf client has impersonation enabled in the client configuration, it works fine on a double hop scenario. I see that all kerberos tickets (initial and tgts for realms in the path ) have forwardable and name canonicalized on them.

    2. In linux, I tried to use a kerberized connection through curl to test the same webservice. After obtaining tickets from vastool (which connects to the active directory), I noticed that apart from the initial TGT, the other tickets do not have the forwardable or name canonicalized flags set on them.

    I'm trying to see if there was a specific reason for the same. 

    Thanks!



    Wednesday, November 9, 2016 4:40 PM
  • Hi CaptainComicus,

    This issue seems to be on the Active Directory side while the service ticket has no forwardable flag. Could you post the question on AD-related forum?

    Best regards,

    Zhiqing


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, November 22, 2016 3:49 AM