none
Kerberos token caching issue RRS feed

  • Question

  • We are facing an issue where front-end WCF service is sending same user identity to backend for all the calls.

    We have a desktop client which calls front end service (WCF). This front-end service then calls a back-end service(again WCF) to do some processing and responds back to desktop application.

    The back-end service is required to log id of the desktop app user. So we have enabled impersonation on Front-end service so that when it calls back-end service it will pass the user details to back-end service and we can retrieve it using operationcontext properties.

    We are using custom binding with Kerberos for each WCF call. Client-> Front end service -> Back-end service.

    This setup works for first request. It passes end user's identity to backend service correctly. But when we try to perform some operation with another user, the backend service still shows and logs first user's id.

    After doing iisrest on Front end service it passes new id to backend but again for the next request, same id is getting logged. So it seems like the first Kerberos TGT is getting cached on front end service. 

    How can I make sure that the front end service passes current users token to back end service without IIS reset or app pool recycling?

    Code used to get user identity on backend service.

    var securityProperty = OperationContext.Current.IncomingMessageProperties.Security;
    System.IdentityModel.Tokens.KerberosReceiverSecurityToken s = (System.IdentityModel.Tokens.KerberosReceiverSecurityToken)securityProperty.ProtectionToken.SecurityToken;  
              var windid = s.WindowsIdentity.Name; 

          


    P.S - The IIS log shows correct identity on back-end service calls. It's only the code which is getting token of first user.
    • Edited by bhvyshah Friday, July 14, 2017 12:39 PM
    Friday, July 14, 2017 12:34 PM

Answers

  • Hi Edward,

    Thank you for your response. 

    Just now we figured out the issue. The FE service was using a class library to locate pre-generated proxies for making calls, the proxy instance was getting created inside constructor of this class. 

    And as expected the instance was getting created only for first call and this same instance was then getting used for all users. 

    So we had to change

    [ServiceImplementation("RealtimeWCFService, Components.External", Cacheable = true)]

    to 

    [ServiceImplementation("RealtimeWCFService, Components.External", Cacheable = false)] 

    and that solved the issue.


    Monday, July 17, 2017 2:19 PM

All replies

  • Hi Bhavyesh_Shah,

    Could you share us how you configure impersonation? Did FE Service and BE Service host on the same computer? How did you call BE Service from FE?

    Could you have try with Delegation option? Something like below:

    public class HelloService : IHelloService
    {
        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        public string Hello(string message)
        {
            WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
            if (callerWindowsIdentity == null)
            {
                throw new InvalidOperationException
                 ("The caller cannot be mapped to a Windows identity.");
            }
            using (callerWindowsIdentity.Impersonate())
            {
                EndpointAddress backendServiceAddress = new EndpointAddress("http://localhost:8000/ChannelApp");
                // Any binding that performs Windows authentication of the client can be used.
                ChannelFactory<IHelloService> channelFactory = new ChannelFactory<IHelloService>(new NetTcpBinding(), backendServiceAddress);
                IHelloService channel = channelFactory.CreateChannel();
                return channel.Hello(message);
            }
        }
    }

    #Delegation

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf

    I am interested on this issue, could you share us a simple demo which could reproduce your issue?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, July 17, 2017 5:12 AM
  • Hi Edward,

    Thank you for your response. 

    Just now we figured out the issue. The FE service was using a class library to locate pre-generated proxies for making calls, the proxy instance was getting created inside constructor of this class. 

    And as expected the instance was getting created only for first call and this same instance was then getting used for all users. 

    So we had to change

    [ServiceImplementation("RealtimeWCFService, Components.External", Cacheable = true)]

    to 

    [ServiceImplementation("RealtimeWCFService, Components.External", Cacheable = false)] 

    and that solved the issue.


    Monday, July 17, 2017 2:19 PM
  • Hi Bhavyesh_Shah,

    Thanks for sharing the solution.

    I would suggest you mark your reply as answer to close this thread, and then others could find the solution easily.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, July 18, 2017 2:47 AM