WCF Security: incorrect credentials getting passed to service

Question

I have a problem where I am connecting to a WCF service from ISS and it's passing in the IIS application pool credentials instead of my windows credential. When i run the website locally by hitting F5 in VS it passes in my windows credentials which is what i want.

My website is setup to use Windows Authentication and anonymous auth is turned off.

I can see in the Windows Event Viewer that it's not using Kerberos to connect to the box IIS is on, it's using NTLM. But i can see that it's using Kerberos when going from IIS to my WCF service by using:

OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString() 

I think it should be using Kerberos when connecting to the IIS box so an ideas there would be appreciated?

The boxes and user are setup to allow delegation and i have enables NETTCP communication etc on my

Here is my host config which is hosted using a console app on the same server as the IIS server:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <netTcpBinding>
        <binding name="defaultBinding" closeTimeout="02:02:00" openTimeout="02:01:00"
            receiveTimeout="02:10:00" sendTimeout="02:02:00" maxBufferSize="2147483647"
            maxReceivedMessageSize="2147483647">
          <security mode="Transport" >
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </netTcpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="defaultClientBehavior">
          <clientCredentials />
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="ServiceConfigBehavior">
          <serviceMetadata httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization impersonateCallerForAllOperations="true" />
          <serviceCredentials>
            <windowsAuthentication includeWindowsGroups="true" allowAnonymousLogons="false" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="ServiceConfigBehavior"
          name="ServiceConfig">
        <endpoint address="" behaviorConfiguration="" binding="netTcpBinding"
            bindingConfiguration="defaultBinding" contract="IServiceConfig">
          <identity>
            <servicePrincipalName value="nettcp/RDM" />
            <dns value="" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
            contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="net.tcp://ServerName:8731/ServiceConfig/" />
          </baseAddresses>
        </host>
      </service>
    </services>
  </system.serviceModel>
</configuration>

Here is my client config:

     </clientCredentials>
    </behavior>
   </endpointBehaviors>
  </behaviors>
  <bindings>
   <netTcpBinding>
    <binding name="NetTcpBinding_IServiceConfig" closeTimeout="00:01:00"
     openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
     transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
     hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
     maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
     <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
      maxBytesPerRead="4096" maxNameTableCharCount="16384" />
     <reliableSession ordered="true" inactivityTimeout="00:10:00"
      enabled="false" />
     <security mode="Transport">
      <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
      <message clientCredentialType="Windows" />
     </security>
    </binding>
   </netTcpBinding>
  </bindings>
        <client>
   <endpoint address="net.tcp://syrwp01:8731/ServiceConfig/"
    behaviorConfiguration="defaultClientBehavior" binding="netTcpBinding"
    bindingConfiguration="NetTcpBinding_IServiceConfig" contract="ServiceReference1.IServiceConfig"
    name="NetTcpBinding_IServiceConfig">
    <identity>
     <servicePrincipalName value="nettcp/RDM" />
    </identity>
   </endpoint>
  </client>
    </system.serviceModel>

And here's the service method that's called:

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]        
    public string PrintMessage(string msg)
    {
        Console.WriteLine(DateTime.Now.ToString());

        WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
        Console.WriteLine("AuthenticationType: " + OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.AuthenticationType.ToString());
        Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);

        using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
        {
            Console.WriteLine("WindowsIdentity.GetCurrent(): {0}", WindowsIdentity.GetCurrent().Name);
        }
        Console.WriteLine("Method called successfully!");
    }

Answer 1

Make sure that you specify

<system.web>
   <identity impersonate="true" />
   <authentication mode="Windows" />
   <authorization>
      <deny users="?" />
   </authorization>
</system.web>

This ensures that Anonymous Login is not allowed.

Additionally, if you want to pass your creds to the WCF Service you need to use Delegation. Create a behavior in your websites web.config like this:

<behaviors>
  <endpointBehaviors>
    <behavior name="DelegationBehavior">
      <callbackDebug includeExceptionDetailInFaults="true" />
      <clientCredentials>
        <windows allowedImpersonationLevel="Delegation" />
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

and use it in your endpoint via behaviorConfiguration="DelegationBehavior".

If this does not work, try to add <serviceAuthenticationManager authenticationSchemes="IntegratedWindowsAuthentication" /> to the <serviceBehavior>-Tag in the WCF's web.config.

And don't forget to decorate your WCF methods with:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]

or, alternatively you can impersonate every call via an additional tag in <serviceBehavior>:

<serviceAuthorization impersonateCallerForAllOperations="true" />

I'm currently experiencing another issue, but my configuration that should work for your scenario is posted here: My Stackoverflow Post

I know this is a very old post, but hopefully this was helpful to someone experiencing the same problem.

Answer 2

Sounds like a case of the Double Hop Problem. The server can't pass along impersonation of credentials it received over the network to another host in most situations.

Here's a blog post describing this phenomenon in more detail.