Reputation: 171
Passing windows security token to an object that calls another webservice using NTLM and windows authentication
I have a web application that calls an object of a referenced dll/api that calls a wcf service.
Machine 1 = where the wcf service resides
Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1
My code:
using (WindowsAuthenticationContext ctx = identity.Impersonate()){
//Call to the API goes here
}
When I access the website from Machine 2(IIS Server), It works. But when I access the website from another client machine, it gives me an error "The Request Token Could not be satisfied".
NOTE: The api is already final, and cannot modify it anymore.
Any help would be greatly appreciated.
Thanks
Upvotes: 5
Views: 503
Answers (2)
Reputation: 32823
You cannot do NTLM and then Kerberos over multiple hops (servers). You need to use Kerberos to delegate windows authentication over all the hops.
You need to configure SPNS to enable kerberos to delegate authentication across machines.
To configure these, you will have to issue the following commands - assuming you have right to modify AD:
SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2
SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2
Where ADDomain\AppPoolCredential is the credential of the app pool - note you cannot use Network Service as the app pool credential to get Kerberos delegation to work. You need to use a domain account.
IN AD, you need to enable the following objects for allow Kerberos Delegation:
ADDomain\AppPoolCredential1
ADDomain\AppPoolCredential2
Machine1
Machine2
For more information, see here
Upvotes: 2
Reputation: 2929
NTLM works in the machine with the local security context. If you want to use NTLM over different machines these machines should share the same security context like Active Directory Domain. If your site (where machines are in) does not have the same security context this would not work. You can use client certificate by changing the service's config. Not changing the dll or code.
Upvotes: 0
Related Questions
- How to Include a Security Token to the SOAP Request?
- Using tokens assigned from an STS to call a WCF service
- Website authenticated by Session Security Token, need to pass it to WCF service
- How do you pass a (Claims) security Token to a WIF enable WCF service
- Passing a token to WCF service
- Authenticate a call to a WCF service
- Pass security token WCF
- how to call web service using NTLM authorization scheme?
- WCF how to pass token for authentication?
- Passing Windows Token to WCF then from WCF to another server in the AD domain