WCF authentication via Kerberos on Windows XP

1
votes

I have got a .NET WCF client talking to a Java server component. Server-side authentication is done via an intermediate Apache server that is configured as a reverse proxy.

The .NET client has a configuration as follows:

<basicHttpBinding>
    <binding name="AdministrationServiceImplServiceSoapBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" proxyCredentialType="Windows" />
          </security>
    </binding>
</basicHttpBinding>

The Apache is configured to require a Kerveros authentication:

<LocationMatch "^...$">
  AuthType Kerberos
  Krb5Keytab ...
  KrbServiceName HTTP/hostname
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  Require valid-user
  Satisfy All
</LocationMatch>

If I start my application on Windows 7, everything works as expected: the .NET client is using Kerberos, Apache authenticates the client, I can access the client credentials using Spring security.

If I start my application on Windows XP, I get an HTTP 401 error message. After watching the network communication using WireShark, I saw this happening:

(1) Initial attempt to access the web service without authentication

POST <path> HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Host: <host>
Content-Length: 374
Expect: 100-continue
Connection: Keep-Alive

(2) 100 Continue reply from server

HTTP/1.1 100 Continue

(3) SOAP request from client (still unauthenticated)

(4) Server giving 401 response

HTTP/1.1 401 Authorization Required
Server: Apache
WWW-Authenticate: Negotiate

(5) Attempt of Client to use NTLM for authentication

POST <path> HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: ""
Authorization: Negotiate TlRMTVNTUAABAAAAt4IY4gAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Host: <host>
Content-Length: 0

(6) 401 message from server (we don't speak NTLM here!)

HTTP/1.1 401 Authorization Required

(7) Client giving up

When I decode the Base64 negotiate header from the client, it starts with NTLMSSP\x00 indicating that the client wants to do NTLM authentication despite of the configuration file specifying "Windows" (aka Kerberos) for the autentication.

Is there anything that I can do on the client side to persuade .NET to use Kerberos? If not, what should my Apache return so that the client knows it should use Kerberos?

1
wcfkerberos
I found a related SO question, but the answers there did not help: stackoverflow.com/questions/2319001/…nd.

1 Answers

0
votes

Windows did not use the correct service principal name (SPN) for the Kerberos-secured service: When using Kerberos, Windows should lookup the SPN HTTP/$servername in the active directory.

A possible cause of errors is that the SPN for the service does not exist and must be created (c.f. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 3). In my setup, however, the SPN did exist, but somehow Windows did not retrieve them). Using KerbTray I verified that Windows did in fact not contain a Kerberos ticket for HTTP/$servername.

The solution was to explicitly define the SPN in the WCF client configuration.

<endpoint address="http://$servername/Service" />

became

<endpoint address="http://$servername/Service" />
  <identity>
    <servicePrincipalName value="HTTP/$servername" />
  </identity>
</endpoint>