WCF kerberos delegation to services on the same machine

Question

I have the following set-up:

Client -> MiddleWS (ISS-hosted WCF) -> DestWS1 and DestWS2 (Self-hosted WCF services)

All machines run on a Intranet with Active Directory. I need to be able to propagate ones credentials from the client to DestWS1 and DestWS2 (these two run in a self-hosted environment on the same server, though with different addresses). Everything works fine if I make a request from the client to the MiddleWS, which then makes a request to either DestWS1 or DestWS2. However, if I want to make two subsequent requests from MiddleWS to DestWS1 and DestWS2, then the second requests does not succeed (gives permissions issue).

DestWS1 and DestWS2 have to different addresses (fx, http://server/DestWS1.svc and http://server/DestWS2.svc ). I have two WCF clients generated from their WSDLs. Seems like if I create two clients (hence two channels), the second one fails (something happens with the kerberos token). If I use only one client but make two calls from it to the same service, both requests work perfectly. Once I close the channel, the token cannot be transferred anymore, it looks like.

Anyone with similar issues?

Answer 1

Apparently the issue was due to asynchronous communication. When calling both services async, the authentication is lost. There are two possible solutions: - switch to synchronous requests - change alwaysFlowImpersonationPolicy to true in the configuration (I haven't tried it, but many others point to it as solution) :)