none
Bug: Calling a WCF service with delegation credentials required RRS feed

  • Question

  • When moving from WinForms to WPF we experienced a rather nasty problem. We need to call a WCF web service out of e.g. a WPF button event handler. The WCF service requires impersonation with delegation credentials (Kerberos authentication). This implies that the URL uses Fully qualified domain name (FQDN) of the form: http//:myhost.myCompany.myCountryStick out tongueortNr/serviceName  

    While this works perfectly out of the WinForm client, the same code executed inside the WPF client fails with a Kerberos negotiation communication error: "The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'."

    As this is a serious bug or misbehaviour, is there any workaround known ?

     

    Below is an example code snippet:

    Code Snippet

    // WCF service code snippet
    [ServiceBehavior(
       InstanceContextMode = InstanceContextMode.Single,
       IncludeExceptionDetailInFaults = true)]
    public class SimpleWcfService : ISimpleWcfService
    {
      [OperationBehavior(Impersonation = ImpersonationOption.Required)]
      public void SimpleCall()
      { Console.WriteLine("Service successfully entered"); }
    }

     

     

    // WCF service configuration

    <configuration>
      <configSections>
      </configSections>
      <system.serviceModel>
        <services>
          <service name="Simple.SimpleWcfService">
            <endpoint
              address=""
              binding="basicHttpBinding"
              bindingConfiguration="impersonatedBinding"
              contract="Simple.ISimpleWcfService"
              />
          </service>
        </services>
        <client>
          <endpoint
            name="SimpleService"
            address=""
            binding="basicHttpBinding"
            bindingConfiguration="impersonatedBinding"
            contract="Simple.ISimpleWcfService"
          />
        </client>
        <bindings>
          <basicHttpBinding>
            <binding
              name="impersonatedBinding"
              closeTimeout="00:00:20"
              openTimeout="00:00:20" receiveTimeout="00:00:20" sendTimeout="00:00:20"
              bypassProxyOnLocal="true"
              useDefaultWebProxy="false">
              <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows" />
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <behaviors>
          <serviceBehaviors>
            <behavior name="MEX Enabled">
              <serviceMetadata httpGetEnabled="true"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>

    </configuration>

     

     

    // Client code snippets
    String uri= "http://gabun11.xyz.ch:8002/SimpleService";

    CallSimpleServiceOnUri(uri);

    public static void CallSimpleServiceOnUri(string uriString)
    {
       Uri serviceUri = new Uri(uriString);
       ChannelFactory<ISimpleWcfService> channelFactory = new ChannelFactory<ISimpleWcfService>("SimpleService");
       // enable delegation
       channelFactory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
       ISimpleWcfService client = channelFactory.CreateChannel(new EndpointAddress(serviceUri));
       client.SimpleCall();
    }

     

     

    Wednesday, June 27, 2007 8:06 AM

Answers

All replies