none
WCF Basichttpbinding with IIS 7.5 windows authentication and option authPersistNonNTLM=true RRS feed

  • Question

  • Hello,

    we are deploying a new infrastructure based on middle tiers applications pattern :

    => Light client in the browser wich calls asp.net mvc 4.0 web api with kerberos token (IE 8)

    => asp.net mvc 4.0 web api which call wcf service with the client kerberos token (Windows 2008 R2 / IIS 7.5 integrated mode)

    client binding is basicHttpBinding

    <binding name="basicTransportCredentialOnly" allowCookies="true">
              <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows" />
              </security>
            </binding>

    and a behavior

    <endpointBehaviors>
            <behavior name="Delegation">
              <clientCredentials>
                <windows allowedImpersonationLevel="Delegation" allowNtlm="false" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>

    => Wcf services which call to backend systems (Windows 2008 R2 / IIS 7.5 integrated mode)

    Service binding is basicHttpBinding

            <binding name="basicHttpBindingTransportCredentialOnly" allowCookies="true">
              <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows" />
              </security>
            </binding>

    with a behavior

            <behavior name="TestWCF.Service1Behavior">
              <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
              <serviceMetadata httpGetEnabled="false"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <!-- Default WCF throttling limits are too low -->
              <serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />
              <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="false" includeWindowsGroups="true" />
              </serviceCredentials>   
            </behavior>

    The configuration of Kerberos whith (double hop / delagation) works well but we saw in the W3C file that each request need to renegotiate credentials.

    the impersonation is done in the web api method by retrieving

    HttpContext.Current.User.Identity asSystem.Security.Principal.WindowsIdentity and applying the impersonate method

    We would like to optimize this by persisting the negotatiate token with option authPersistNonNTLM=true (

    -section:system.webServer/security/authentication/windowsAuthentication /authPersistNonNTLM:"True") but it doesn't work and we have exception on a lot of request (according the W3C log file, we saw that request cames without credentials)

    Could you help me or could say me if the option authPersistNonNTLM can be used with WCF client ?

    The exception is described here :

    System.ServiceModel.Security.SecurityNegotiationException: The remote HTTP server did not satisfy the mutual authentication requirement. Server stack trace: at
    System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory) at
    System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest
    request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException
    responseException, ChannelBinding channelBinding) at
    System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan
    timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message,
    TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
    action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
    outs, TimeSpan timeout) at
    System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
    methodCall, ProxyOperationRuntime operation) at
    System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]: at
    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg,
    IMessage retMsg) at
    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
    msgData, Int32 type) ..


    Yannick

    Tuesday, July 9, 2013 11:05 AM

All replies