具有SSO的自托管WCF服务器

Question

We've got a self-hosted WCF service that is hosting content over HTTP and would like to be able to support single sign-on with Windows / AD. Ideally this would support IE, Firefox and Chrome.

I've built the following sample service that returns some plain text over HTTP. Note: in the production version of this we are using SSL but I've turned that off below to make running the sample less finicky.

We set the HttpSecurityMode to TransportCredentialOnly and then the ClientCredentialType to HttpClientCredentialType.Windows which, I believe, would use Kerberos.

If I use "NTLM" instead of "Windows" it does seem to work but I gather that using NTLM is not advised and it breaks if we have a reverse proxy sitting in front of our service.

When we run the following code and connect in IE 10 we get do get prompted for our Windows credentials but after entering those we just get a HTTP 400 and I don't hit any breakpoints within my "Get" method. Ideally what we should see is a response saying "Hello, [Domain\\User]!" but we aren't making it that far.

Our testing machines (client and server) are all part of the same Windows domain. I'm running the service as a local admin but not domain admin (if that would matter).

We would appreciate any help!

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.ServiceModel;
using System.ServiceModel.Description;
using System.ServiceModel.Web;
using System.Text;

namespace WindowsAuthService
{
    [ServiceContract]
    public interface ITestService
    {
        [OperationContract]
        [WebGet(UriTemplate = "{*path}")]
        Stream Get(string path);
    }


    public class TestService : ITestService
    {
        public Stream Get(string path)
        {
            WebOperationContext.Current.OutgoingResponse.Headers.Add(HttpResponseHeader.ContentType, "text/plain");
            if (OperationContext.Current.ServiceSecurityContext == null)
                return new MemoryStream(Encoding.ASCII.GetBytes(String.Format("Hello, {0}!", "Anonymous Stranger")));
            else
                return new MemoryStream(Encoding.ASCII.GetBytes(String.Format("Hello, {0}!", OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name)));
        }
    }

    class Program
    {
        private const string URL = "http://mymachine.mydomain:7777";
        static void Main(string[] args)
        {
            WebServiceHost serviceHost = new WebServiceHost(new TestService());
            foreach (IServiceBehavior attr in serviceHost.Description.Behaviors)
            {
                if (attr is ServiceBehaviorAttribute)
                {
                    ServiceBehaviorAttribute serviceAttr = (ServiceBehaviorAttribute)attr;
                    serviceAttr.InstanceContextMode = InstanceContextMode.Single;
                    serviceAttr.ConcurrencyMode = ConcurrencyMode.Multiple;
                }
            }
            WebHttpBinding binding = new WebHttpBinding(WebHttpSecurityMode.TransportCredentialOnly);
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
            ServiceEndpoint serviceEndpoint = serviceHost.AddServiceEndpoint(typeof (ITestService), binding, URL);
            serviceEndpoint.Behaviors.Add(new WebHttpBehavior());
            Console.WriteLine("Service Listening @ " + URL);
            serviceHost.Open();
            Console.WriteLine("[ Press Enter to Quit ]");
            Console.ReadLine();
        }
    }
}

Answer 1

You've got working code. I guess you have a proxy. If yes, in IE 10, go to menu Tools > Internet Options > Connections (tab) > LAN Settings. In the dialog, check on Bypass proxy server for local addresses.

Also, you can go to Security Tab > Local Intranet > Click on Sites button and choose Automatically detect local intranet - you wont be prompted for credentials - IE 10 will send credentials of logged in user.