WCF Security: Check client domain credentials from server that is outside the domain

Question

We have a WCF service that used to be installed on a domain machine. Our clients were able to connect to this service and call WCF methods using the current user 's domain credentials.

This is the binding configuration we were using:

<netTcpBinding>
    <binding ...>
        <security mode="Transport">
            <transport clientCredentialType="Windows" protectionLevel="None" />
            <message clientCredentialType="Windows" />
        </security>
    </binding>
</netTcpBinding>

Now for some technical reasons, we had to move the service to a machine that cannot join the domain. Is it still possible to use WCF transport security for client authentication?

When the clients try to call a WCF method they get this error:

System.ServiceModel.Security.SecurityNegotiationException: The server has rejected the client credentials. ---> 
System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> 
System.ComponentModel.Win32Exception: The logon attempt failed

I have tried running the service with runas /netonly . That change enabled the service to connect to the backend SQL server using domain credentials, but it doesn't help with clients trying to connect to the service.

I did some searching and read about WCF impersonation, Kerberos tokens, CredSSP and other technologies, but I'm not sure if any of these might help my situation, which path should I take or where to start. Thanks.

Answer 1

You'll need to run your service on a domain-joined server for Windows authentication to work. You could change the type of authentication or move this service back on to your domain.

If your users authenticate directly against the database (via a Kerberos double-hop), another consequence of removing the server from the domain is that database authentication will have to be changed to use a service account.