Impersonate User in SharePoint 2010 web part to call WCF service

Question

I have a Web Part where I am trying to call a WCF Service as the current logged in user. The Web Part work locally when debugging in Visual Studio 2013 - calling the external WCF service. I have configured Kerberos for the WCF Service as well as the SharePoint site and fee like that is all correct. I can call the WCF Service correctly from another Kerberos enabled web app fine as well as from a console app.

Now I'd like to roll this to a SharePoint farm. However after I add the solution to the farm and activate the feature on the sharepoint site...I get an error when I try to add the web part to a page. The error comes up in a box that says "The caller was not authenticated by the service.". The error comes from the actualy method call.

My web part code is as such:

WorksiteService.iWorksiteServiceClient wss = new WorksiteService.iWorksiteServiceClient("WSHttpBinding_iWorksiteService");
wss.ClientCredentials.Windows.ClientCredential =  System.Net.CredentialCache.DefaultNetworkCredentials;
wss.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
WorkSiteDocument[] wd = wss.GetDocumentsByAlias2("test");

The web.config in for the sharepoint site has this for the endpoint:

<system.serviceModel>    
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />    
<bindings>      
<wsHttpBinding>        
<binding name="WSHttpBinding_iWorksiteService" />      
</wsHttpBinding>    
</bindings>    
<client>      
<endpoint address="http://myservicerd.xyz.com/WorkSiteService.svc" binding="wsHttpBinding"     bindingConfiguration="WSHttpBinding_iWorksiteService" contract="WorksiteService.iWorksiteService" name="WSHttpBinding_iWorksiteService">        
<identity>          
<servicePrincipalName value="myservicerd.xyz.com" />        
</identity>      
</endpoint>    
</client>  
</system.serviceModel>

Any ideas on why I get that error? I'm assuming I'm not getting the current user's credentials for some reason.There is nothing in the event or sharepoint logs of the sharepoint server or wcf server. Any ideas on how I can troubleshoot this?Thank you for any assistance you can provide.

Answer 1

I'm not a Sharepoint Expert, but from a Kerberos perspective I would suggest to check the delegation settings in Active Directory just as Marek suggested.

In a double-hop scenario like this, the 'man' in the middle must be permitted to take on the identity of the client.

The question remains who the 'man' in the middle is, which depends on the IIS configuration. If the IIS is configured for kernel-mode authentication the middle identity is probably the computer account if the server IIS is installed on.

Otherwise I would assume that the identity that needs delegation rights should be the identity of the application pool the web part runs in.

If you determined the identity, go to the appropriate Active Directory account (delegation tab) and select 'Account is trusted for delegation'.

Maybe this blog article can shed some light on this: http://tekaris.com/blog/2013/04/05/http-400-bad-request-kerberos-authentication-with-iis-2/