在调用WCF的网站上模拟用户

Question

My service is a netTCP webservice and the site that hooks up to it is a windows authenticated Impersonated website. When I attempt to hit my service and the service and the site are on the same server, then this work right. When I attempt to hit the service from my development machine or from an IIS instance running on my local machine it works. The only time it doesn't work is when my website is on another server from the website. Looking at the output of a WCF utility, we found out that an anonymous user is attempting to hit our service. What is crazy though is that I have the username displayed in the upper right corner of the service.

Page.User.Identity.Name

I guess I would like to find out if I am impersonating clients correctly. My suspicion is that It works on those instances because there is not a specific handshake necessary when both application pools run on the local machine. That would again be the case on my local machine (not sure why, but I am thinking that maybe there is some kind of implied security when I go from my logged in machine to a server). Here is how I impersonate a user...

    client2.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

I think I have my IIS 7 windows 2008 setup correctly. I have aspnet impersonation enabled for the site in addition to windows authentication enabled for the site. I have everything but windows authentication disabled for the service. I have the application pool set to a specific id. I am not exactly sure what I am missing. I am not yet a master of wcf services so I think I have limited knowledge in this area. If you guys have any ideas or advice, please let me know.

Answer 1

So it seems you have the issue below. I think this has to do with Machine B not trusting Machine A to pass on its credentials. This manifests itself in different ways.

You need to make changes in Active Directory from a constratined to trust Machine A for kerberos credentials delegation by doing the following (more here )

• Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
• Expand domain, and expand the Computers folder.
• In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
• Click to select Trust this computer for delegation to any service (Kerberos only).
• Click OK.

It seems to me the crux of the issue is that while Machine B accepts the request, it doesn't trust Machine A to pass on the creds. This is the classic double hop problem it seems. This is typical especially when working with SQL server for a machine that is not delegated, you'll see errors like: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection. Anyhow, SQL isn't your problem here, just showing as an example since I've fought that one before. I'm not up to date on the latest Win2k8 changes, but it may be possible to grant delegation privs at a more granular level as well. Also in the picture below the dashed line I meant to say "Machine B must trust Machine A to pass creds"