WCF Delegation, Service couldn't access SQL Server

StackOverflow https://stackoverflow.com/questions/13108419

Domanda

I have the following infrastructure:

  • Computer #1, Microsoft SQL Server 2008, started under System account. There is login Master\MyLogin (with Windows Authintification), server roles = sysadm, database role = db_owner.

  • Computer # 2, WCF service on IIS 7.0. Application and site run under account Master\IISLogin (IISLogin@myDomain.ru)

Configuration:

<configuration>
  <system.web>
    <compilation debug="true" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <services>
      <service behaviorConfiguration="CommonBehavior" name="MyNameSpace.AdminService">
        <endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="IAdminServiceWindows" contract="MyNameSpace.IAdminService">
          <identity>
            <dns value="WCFServer" />
            <userPrincipalName value="IISLogin@myDomain.ru"/>
          </identity>
        </endpoint>
      </service>
    </services>
    <behaviors>
  <serviceBehaviors>
    <behavior name="CommonBehavior">
      <dataContractSerializer maxItemsInObjectGraph="10000000" />
      <serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>
        <serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyClassFullName, MyDllFullName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

Service has method

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public bool HasRole(string roleName)
{
     //work with database
}

It uses EF 5.0 database first. Connection string

"Data Source=Computer1; Initial Catalog=myDB; Integrated Security=True; Multipleactiveresultsets=True; Persist Security Info=True;"

  • Computer # 3, the client. It has the following config

    <configuration>
<system.serviceModel>
  <bindings>
    <netTcpBinding>
        <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
            hostNameComparisonMode="StrongWildcard" listenBacklog="10"
            maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
            maxReceivedMessageSize="40000000">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
     </netTcpBinding>
</bindings>
<client>
    <endpoint  name="Megatec.MasterTourService.Contracts.IAdminServiceWindows"
        address="net.tcp://Computer2:5012/IISTest/AdminService.svc/Windows"
        behaviorConfiguration="CustomBehavior"
        binding="netTcpBinding"
        bindingConfiguration="CommonWindowsBinding"
        contract="Megatec.MasterTourService.Contracts.IAdminService">
       <identity>
            <dns value="WCFServer" />
       </identity>
    </endpoint>        
</client>
<behaviors>         
  <behavior name="CustomBehavior">
    <dataContractSerializer maxItemsInObjectGraph="10000000"/>
    <clientCredentials>
      <clientCertificate findValue="WCFClient" x509FindType="FindBySubjectName"
          storeLocation="LocalMachine" storeName="My" />
           <serviceCertificate>
               <defaultCertificate findValue="WCFServer" storeLocation="LocalMachine"
                                   x509FindType="FindBySubjectName" />
               <authentication certificateValidationMode="PeerTrust" 
                               revocationMode="NoCheck"
                               trustedStoreLocation="LocalMachine"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

Channel has the following credentials

channelFactory.Credentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Delegation;
channelFactory.Credentials.Windows.ClientCredential =
    System.Net.CredentialCache.DefaultNetworkCredentials;

It falls with db error

Login failed for user 'NT AUTHORITY\Anonymous'

So, there is some problem with WCF delegation. When I tried to use simple username/password authentication, it worked fine - so, certificates and so on are fine.

I did Step 4 on this instruction, but it doesn't work.

Maybe something is wrong with my code or configs? How can I fix it?

UPDATE.

  1. Tried (no result)

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] => [OperationBehavior(Impersonation = ImpersonationOption.Required)]

  2. Tried (no result)

  3. On the service side

    ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel = Impersonation (not Delegation!)

  4. When I tried to change identity for IIS pool from ApplicationPoolIdentity to IISLogin@myDomain.ru, the client on the computer 3 crashed.

È stato utile?

Soluzione 2

Unfortunatelly, Transport/TransportWithMessageCredential security mode doesn't support such work with client credentials and delegation. I've changed CommonWindowsBinding in the following way

Server

    <binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
      <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>

Client

    <binding name="CommonWindowsBinding" closeTimeout="00:01:00"
        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
        transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
        hostNameComparisonMode="StrongWildcard" listenBacklog="10"
        maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
        maxReceivedMessageSize="40000000">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
       <security mode="Message">
        <message clientCredentialType="Windows" />
      </security>
    </binding>

Altri suggerimenti

In your computer3 config try the following (in place of your current <behaviors>...</behaviors> block):

<behaviors>
  <endpointBehaviors>
    <behavior name="CustomBehavior">
      <clientCredentials>
        <!--<windows allowNtlm="false" allowedImpersonationLevel="Delegation" />-->
        <windows allowNtlm="true" allowedImpersonationLevel="Delegation" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

Edit you might also need to setup Active Directory record on Computer2 to allow credential delegation to Computer1 on "all types" (not just Kerberos)

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top