none
Constrained Delegation in Kerberos - What am I doning wrong. RRS feed

  • Question

  • I have been following all the documents available in the net, I used Kerbtray, Kerblist etc but was never able to get the constrained delegation to work. Since I can upload only 2 images per question I have combined all the images at the end. Please note that in my setup I am using the same account (MYDOMAIN\MYAPPACCOUNT) for both running the apppool that hosts my ASP.NET MVC application and Windows service that hosts my WCF service. (Actual details have been masked for security reasons)

    1. Image at the bottom shows the SPN created for the system account MYDOMAIN\MYAPPACCOUNT which is used to run the Windows service that is hosting the WCF service.

    2. Following is the server configuration

    <?xml version="1.0"?>
    <configuration>
      <system.serviceModel>
        <services>
          <service name="RiskSvc.Rules.Services.RfaRuleExecutionService"
                   behaviorConfiguration="ServiceBehavior1">
            <endpoint
              address="net.tcp://MYAPPSERVER.MYDOMAIN.com:9110/RfaRuleExecutionService"
              binding="netTcpBinding"
              bindingConfiguration="netTcpBindingConfiguration"
              contract="RiskSvc.Rules.Services.Interfaces.IRfaRuleExecutionService">
              <identity>
                <servicePrincipalName value="MRRFAService/MYAPPSERVER.MYDOMAIN.COM:9110/> 
    </identity>        </endpoint>
          </service>
        </services>
        <bindings>
          <netTcpBinding>
            <binding name="netTcpBindingConfiguration" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
              <readerQuotas maxStringContentLength="2147483647" />
              <security mode="Transport">
                <transport clientCredentialType="Windows"/>
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
        <behaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior1">
              <serviceAuthorization impersonateCallerForAllOperations="true" />
              <serviceCredentials>
                <windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="false"/>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>  </system.serviceModel>
      <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
      </startup>
    </configuration>

    3. The windows service is running as account that has the SPN's set as in section 1.

    4. The application pool of the webserver is also running using the same account MYDOMAIN\MYAPPACCOUNT

    5. The constrained delegation is setup for the same account since the app pool is running using the same account MYDOMAIN\MYAPPACCOUNT.

    6. Following is the configuration on the IIS web application (web.config) which is the consumer of the WCF service. I have removed the other configuration for clearity

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <appSettings>
      </appSettings>
      <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <authentication mode="Windows" />
        <identity impersonate="true" />
        <authorization>
          <deny users="?" />
        </authorization>
      </system.web>
      <system.serviceModel>
        <bindings>
          <netTcpBinding>
            <binding name="netTcpBindingConfiguration" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="65536">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Transport">
                <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
                <message clientCredentialType="Windows" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
        <behaviors>
          <endpointBehaviors>
            <behavior name="WcfTestBehavior">
              <clientCredentials>
                <windows allowNtlm="false" />
              </clientCredentials>
            </behavior>
          </endpointBehaviors>
        </behaviors>
        <client>
          <endpoint address="net.tcp://MYAPPSERVER.MYDOMAIN.COM:9110/RfaRuleExecutionService"
                    binding="netTcpBinding" bindingConfiguration="netTcpBindingConfiguration"
                    contract="RiskSvc.Rules.Services.Interfaces.IRfaRuleExecutionService"
                    name="NetTcpBinding_IRfaRuleExecutionService"
    		behaviorConfiguration="WcfTestBehavior">
            <identity>
              <servicePrincipalName value="MRRFAService/MYAPPSERVER.MYDOMAIN.com:9110"/>
            </identity>
          </endpoint>
        </client>
      </system.serviceModel>
    </configuration>

    After doing all this the web application is still connecting to the remote WCF host as anonymous login.


    Addded:

    Also please note that I am running my ASP.NET MCV application on IIS 7 with kernel-mode enabled. I can also confirm that the SPN (HOST/IISServerNETBIOSName) is setup for the IIS host machine.

    • Edited by GiridharED Friday, April 25, 2014 3:12 AM
    Monday, March 17, 2014 6:20 AM

All replies

  • Hi,

    In your client config file, I saw that you used the following:

    <endpointBehaviors>
            <behavior name="WcfTestBehavior">
              <clientCredentials>
                <windows allowNtlm="false" />
              </clientCredentials>
            </behavior>
    </endpointBehaviors>

    Please try to modify it as following to see if it helps:

    <endpointBehaviors>
        <behavior name="WcfTestBehavior">
            <clientCredentials>
                <windows allowNtlm="false"
                         allowedImpersonationLevel="Delegation" />
     
            </clientCredentials>
        </behavior>
    </endpointBehaviors>

    For information, please try to refer to the following articles:
    #Configure the WCF Service Identity Trusted for Constrained Delegation:
    http://msdn.microsoft.com/en-us/library/ff650896.aspx#Step4 .

    #How to enable multi-hop impersonation using constraineddelegation in .NET and Active Directory:
    http://www.codeproject.com/Articles/38979/How-to-enable-multi-hop-impersonation-using-constr .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, March 18, 2014 2:21 AM
    Moderator
  • Thanks Amy, But I am still getting the error.

    The remote server did not satisfy the mutual authentication requirement. Server stack trace: at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.ValidateMutualAuth(EndpointIdentity expectedIdentity, NegotiateStream negotiateStream, SecurityMessageProperty remoteSecurity, Boolean allowNtlm) at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream) at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at RiskSvc.Rules.Services.Interfaces.IRfaRuleExecutionService.GetData(Int32 value) at RiskSvc.Rules.Services.RfaRuleExecutionServiceProxy.GetData(Int32 value) in c:\Share\JupiterData\MyWCFService\RfaRuleExecutionService.cs:line 37 at MyWCFServiceUI.Controllers.HomeController.Index() in c:\Share\JupiterData\MyWCFServiceUI\Controllers\HomeController.cs:line 18 

    Tuesday, March 18, 2014 3:16 AM