3
votes

Hope someone can help!

I am calling a WCF service using JSON but I am not able to get the user credentials out.
We are using Kerberos so IIS is setup as the following:

Server-side tasks:

  1. IIS server is member of domain
  2. Set IIS server computer account in AD Users & Computers MMC as "Trusted for Delegation"
  3. IIS Server must be rebooted for this policy to take effect.
  4. Integrated Windows Authentication only must be selected for site / virtual directory
  5. IIS must not have NTLM only set as authentication method (this is usually not a problem, NEGOTIATE is default, so unless you specifically ran a script to change this, don't worry about it).
  6. IIS server name either must match exactly account name in AD, or SetSPN tool should be used in cases where IIS site is set as alternative name (e.g. server is called server01.domain.com, and website is called www.application.com).

Client-side tasks

  1. Client must be using IE 5.x+. If client is running IE 6, ensure that "Enable Integrated Windows Authentication (requires restart)" is selected from Tools > Internet Options > Advanced.
  2. Web site MUST be recognized as Local Intranet (not Internet Zone) site to client. I have not seen any documentation explaining why, but I just have never been able to get it to work otherwise. If necessary, specifically add this to Local Intranet sites list.
  3. Client account must not be marked as "Sensitive, Do not Delegate" in AD Users and Computers MMC.

Everything works nicely when using wsHTTPBinding. However to get JSON working I have to use WebHttpBinding. I then need to get the user credentials out so I can use impersonation to talk to the backend services.

My binding in the WFC config is as below: I used http://underground.infovark.com/2008/03/21/wcf-webhttp-binding-and-authentication/ to help:

<webHttpBinding>
    <binding name="AjaxBinding">
        <security mode="None">
             <transport clientCredentialType="Ntlm" />
         </security>
     </binding>
</webHttpBinding>

<endpoint name="DataJson" address="Datajson" binding="webHttpBinding" 
        bindingConfiguration="AjaxBinding" 
        behaviorConfiguration="jsonbehaviour" contract="MyContract"/>

<behavior name="jsonbehaviour">
     <!--<webHttp/>-->
     <enableWebScript/>
</behavior>

It is calling the WCF service successfully but I am unable to get anything from: HttpContext.Current.User.Identity or ServiceSecurityContext.Current.WindowsIdentity other than anonymous so I am unable to do:

WindowsIdentity identity = (WindowsIdentity)HttpContext.Current.User.Identity();

using (identity.Impersonate())
{
    // ... code to call application B goes here ...
}

I have tried adding this into the web.config in case of multiple identities that I read about:

              <deny users="?"/>

Any ideas anyone?

1

1 Answers

1
votes
  • Do you have this section in your config?

    <system.web>
    <identity impersonate="true"/>
    
    • Under what account is your application pool running? (Network Service right?)
    • You dont perhaps have duplicate SPN's on the domain?

These are the only things that I have on my "list" of things to check when doind integrated authentication, that you did not explicitly mention in your question. Hope it helps?