SQL login failes when using Impersonation inside a WCF service

2
votes

I have a WCF service being hosted in a Windows Service and is being called from a Windows Forms application. I'm using Windows Authentication and impersonation. Impersonation is working; however, when I attempt to access SQL server using Integrated Security I get “Login failed for user ‘’. “. I also get the same results when hosting the service inside a console application. If I use SQL security everything works as it should.

Here is my config file for the service.

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="WSHttpBinding_IService">
      <security mode="Message">
        <transport clientCredentialType="Windows"
                   proxyCredentialType="None" realm="" />
        <message clientCredentialType="Windows"
                 negotiateServiceCredential="true"
                 algorithmSuite="Default"
                 establishSecurityContext="true" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
  <behavior name="ServiceBehavior">
    <serviceMetadata httpGetEnabled="true" />
    <serviceDebug includeExceptionDetailInFaults="false" />
    <serviceAuthorization impersonateCallerForAllOperations="true" />
  </behavior>
  </serviceBehaviors>
  <serviceBehaviors>
    <behavior name="DefaultBehavior">
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<services>
  <service behaviorConfiguration="ServiceBehavior" name="AfsNetService">
    <endpoint address="" binding="wsHttpBinding" contract="IAfsNetService">
      <identity>
        <userPrincipalName value="[email protected]" />
        <servicePrincipalName value="localhost" />
        <!--<dns value="" />-->
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>

Any help with this is appreciated.

2
wcf

2 Answers

1
votes

This is not a WCF issue but a fundamental consequence of how authentication between machines on a network happens. It is the classic "double hop" authentication issue. Delegated authentication of the second hop between the server hosting the service and the database server is usually not possible, unless all authentication is using Kerberos, and delegation is specifically configured.

This scenario can only work at all if all the computers involved (i.e. workstation where the WinForms app is running, server hosting the Service, and the database server) are all supporting Kerberos authentication and not falling back to NTLM.

If you are sure that all authentication is using Kerberos, then you have to ensure that delegation is correctly configured. This checklist may help, though some of it relates to IIS being the middle tier server, rather than a custom service as you have.

1
votes

I am not sure if this will solve your problem or not but it seems that your xml configuration is missing bindingConfiguration tag. I think it should be like :

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"/>