none
Double hop issue when running service local/Administrator RRS feed

  • Question

  • I have a WCF service which is hosted on server A. I consume it from Server B(client). And this service accesses resource from server C.

    When I hosted the service using domain user(MYDOMAIN\user1) and doing all the setting on the host machine(server A), like setting SPN, allowing the host for delegation etc. I was able to consume the service without any issue.

    Now I need to host the service on same host machine(server A) with local\Administrator what settings I need to do?

    Does Kerberos authentication does not comes in picture here, and so the SPN settings?

    I could not perform steps to enable delegation for "local\Administrator" as it is not listed in active directory users and computers. 

    Monday, August 12, 2013 2:20 PM

Answers

  • Hi puneDev,

    So you originally configure the IIS application pool (for the web application that host WCF service) to use a domain account, and now you want to switch it to a local admin account (on the web server) and wondering if there is any potential issue on kerberos authentication/delegation, correct?

    For IIS 6.0, it web application use the IIS application pool identity for kerberos authentication (if windows auth is used) ticket decryption. So we will need to configure it as NetworkService or a domain account so that we can register SPN for the account in AD. From IIS 7.0, there comes a "kernel Authentication" feature (enabled by default) which makes windows (kerberos) authentication always be handled at kernel mode and uses the machine account (of the webserver in AD) for kerberos ticket decryption and SPN mapping. Therefore, with kernel authentication enabled, we don't need to take particular care about the app pool identity used (and SPN registered for it). Here are some web articles which also mentioned this:

    #Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
    http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

    And if you still want to use the application pool identity (instead of using the machine account) for windows authentication, you can manually switch the web site/web application to use application pool identity (in web.config file).

    #Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings
    http://technet.microsoft.com/en-us/library/dd573004(v=office.13).aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, August 14, 2013 3:29 AM
    Moderator

All replies

  • You have to change the startup run credential of the service using the webpage below

    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_configure_startup.mspx?mfr=true


    jdweng

    • Proposed as answer by RubberMartyr Monday, March 31, 2014 6:55 PM
    Monday, August 12, 2013 2:43 PM
  • Hi puneDev,

    So you originally configure the IIS application pool (for the web application that host WCF service) to use a domain account, and now you want to switch it to a local admin account (on the web server) and wondering if there is any potential issue on kerberos authentication/delegation, correct?

    For IIS 6.0, it web application use the IIS application pool identity for kerberos authentication (if windows auth is used) ticket decryption. So we will need to configure it as NetworkService or a domain account so that we can register SPN for the account in AD. From IIS 7.0, there comes a "kernel Authentication" feature (enabled by default) which makes windows (kerberos) authentication always be handled at kernel mode and uses the machine account (of the webserver in AD) for kerberos ticket decryption and SPN mapping. Therefore, with kernel authentication enabled, we don't need to take particular care about the app pool identity used (and SPN registered for it). Here are some web articles which also mentioned this:

    #Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
    http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

    And if you still want to use the application pool identity (instead of using the machine account) for windows authentication, you can manually switch the web site/web application to use application pool identity (in web.config file).

    #Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings
    http://technet.microsoft.com/en-us/library/dd573004(v=office.13).aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, August 14, 2013 3:29 AM
    Moderator
  • hey steven, I am not using IIS server; my service was self hosted. But after some exploration now I have a windows service which is hosting my WCF service. This windows service is running as local system. And I want when I call this service from any domain user; this service should perform the delegation of the clients credentials.

    Thursday, August 22, 2013 5:57 AM