none
WCF service - delegation issue. RRS feed

  • Question

  • 1) All of my setup on the same domain (domain.com) (intranet)

    2) winforms app (client1) connect to iis 8.5 (win 2k12 r2) where a wcf service is hosted. this service has windows and anonymous auth enabled (anonymous auth due to message security)

    3) I use declarative model for delegation on wcf service method (Impersonation = ImpersonationOption.Required)

    4) client and server have following config entries (using wshttpbinding)

    <security mode="Message"> <message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false"/> </security>

    <identity>
                <servicePrincipalName value="HOST/servername.domain.com"/>
              </identity>

    5) server has been fully trusted in AD for delegation (hence am using the SPN entry for 'HOST' above)

    6) client uses Delegation:

    m_svcMyServiceClient.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation

    For some reason, the credentials of user logged on client PC using client1 app is NOT passing through to a different service (HPC) on the same server as IIS. It sends networkservice or localsystem (app pool identity) to the backend service instead of "domain\user1"

    7) what could i be missing here?

    my understanding is that the default SPNs ("HOST/servername" and "HOST/servername.domain.com") are good enough for the delegation to work regardless of what the app pool runs under (applicationpoolidentity or local system or local service). 


    Tuesday, July 12, 2016 2:53 PM

All replies

  • Hi SRIRAM,

    Did your service run ok or only the delegation not work? If you debug your service, will this method be called from client?

    The link below might be useful to you.

    #How to: Use Delegation for Flowing the Original Caller Credentials to the Back End in WCF Calling from Windows Forms

    https://msdn.microsoft.com/en-us/library/ff650896.aspx

    Best Regards,

    Tony


    Help each other

    Thursday, July 14, 2016 12:34 PM
  • Thanks Tony. But there seems to be some issue with delegation. The app pool of my WCF is running under 'applicationpoolidentity' account. will that account have access to SPNs on the server to delegate user credentials? when i set network service, that account name is getting delegated instead of my user's credentials.
    Friday, July 15, 2016 4:38 AM
  • Hi SRIRAM,

    I have tried to follow up your steps to use delegation, but now, I am not able to make it work. I will try to make a test again.

    Best Regards,

    Tony


    Help each other

    Friday, July 22, 2016 12:07 PM
  • Thanks Tony. Will wait to hear back from you

    Friday, July 22, 2016 1:19 PM
  • *bump* Any update on this thread? 
    Monday, August 8, 2016 1:37 PM
  • Hi SRIRAM,

    Thanks for your post.

    For this thread, I'm trying to involve some senior engineers into this issue and it will take some time. Your patience will be greatly appreciated. 

    Sorry for any inconvenience and have a nice day!

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, August 9, 2016 7:14 AM
  • *bump*
    Sunday, October 2, 2016 2:04 PM
  • Hi,

    Haveyou made sure that the wcf web app hosted on iis has impersonation enabled ?

    https://blogs.msdn.microsoft.com/saurabs/2012/07/16/wcf-learning-impersonation/

    <configuration>
    
      <system.web>
    
        <identity impersonate=”true” />
    
      </system.web>
    
    </configuration>

    To test if impersonation is actually working at the WCF service before it is used for delegation. https://msdn.microsoft.com/en-us/library/x22bbxz6.aspx

    if (WindowsIdentity.GetCurrent(true) != null) {
    //Log impersonation is working
    }else{
    // WindowsIdentity.GetCurrent(true) == null, means impersonation is NOT working
    }


    • Edited by lanax Tuesday, October 4, 2016 5:19 AM
    Tuesday, October 4, 2016 4:46 AM