将IIS应用程序池帐户委派给WCF服务调用

Question

I have developed a WCF service which is running in IIS (IIS 7.5 to be exact). This service runs under its own app pool, under a specific domain identity. This service references & calls other WCF services hosted elsewhere in the network, which in turn access various resources (Event Log, SQL Servers etc).

Calls to my service are authenticated using username & password, through a custom UserNamePasswordValidator . The username(s) used are not domain credentials.

What I'm trying to do, is that when my service is called & it in turn calls the referenced services using the generated proxy classes, that it delegates the application pool identity as the calling identity, since this domain account has been granted rights to access the background resources like SQL Server.

My current implementation is as follows:

Service Configuration

<system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="RemoteServiceBinding" closeTimeout="00:10:00"
          openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
          maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
          <readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647"
            maxBytesPerRead="2147483647" />
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
      <wsHttpBinding>
        <binding name="MyServiceBinding" closeTimeout="00:10:00" openTimeout="00:10:00"
          receiveTimeout="00:10:00" sendTimeout="00:10:00" maxBufferPoolSize="2147483647"
          maxReceivedMessageSize="2147483647">
          <readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647"
            maxBytesPerRead="2147483647" />
          <security mode="Message">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://remote.service.address/Service.svc"
        binding="basicHttpBinding" bindingConfiguration="RemoteServiceBinding"
        contract="RemoteService.IRemoteService" name="RemoteServiceBinding" />
    </client>
    <services>
      <service name="MyService.MyService" behaviorConfiguration="MyServiceBehavior">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MyServiceBinding" contract="MyService.IMyService">
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:8733/MyService/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyServiceBehavior">
          <serviceMetadata httpGetEnabled="True" httpsGetEnabled="True"/>
          <serviceDebug includeExceptionDetailInFaults="True" />
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="None" />
            </clientCertificate>
            <serviceCertificate findValue="AuthCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyService.CredentialValidator, MyService" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
</system.serviceModel>

Service behavior code

using (var client = new Proxy.RemoteServiceClient()) {
    client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;

    return client.PerformAction();
}

Using this code, whenever a client makes a call to my service, the following is thrown:

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.

Could someone please assist me, or point me in the right direction on how to implement this authentication configuration?

Answer 1

I've managed to find a working solution. It is implemented as such:

The client proxy credentials need to be set to those of the IIS Application Pool, since these don't get picked up automatically:

client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

Also, the remote service I was connecting to had a service principal that needed to be included in the endpoint configuration. So I modified the config that was generated by the VS tooling to the following:

<client>
  <endpoint address="http://remote.service.address/Service.svc"
    binding="basicHttpBinding" bindingConfiguration="RemoteServiceBinding"
    contract="RemoteService.IRemoteService" name="RemoteServiceBinding">
    <identity>
      <servicePrincipalName value="spn_name" />
    </identity>
  </endpoint>
</client>

With this configuration, I was able to authenticate to my service by username & password, then have my service access a SQL Server instance using the domain credentials that the application pool was running under in IIS.