stackoom
  简体   繁体   中英

WCF Windows authentication not working with wsHttpBinding

 原文  2017-08-16 21:14:52       c#/ wcf/ authentication/ iis

Question

Problem is that I cannot get windows authentication working with the wsHttpBinding.

This is the config: 

<services>
  <service name="WcfService1.Service1">
    <endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
  </service>
</services>
<bindings>
  <wsHttpBinding>
    <binding name="testbinding">
      <security mode="Transport">
        <transport clientCredentialType="Windows"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

This is the response from the server when trying to call a method: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oXMwcaADCgEBomoEaGBmBgkqhkiG9xIBAgIDAH5XMFWgAwIBBaEDAgEepBEYDzIwMTcwODE2MjA1MjQwWqUFAgMK8G2mAwIBKakOGwxDT1JQLlNBQUIuU0WqGjAYoAMCAQGhETAPGw1jb3JwYXBwbDU5ODgk'. Also there is a inner exception saying: "The target principal name is incorrect"

I have setup a new site in IIS fresh for testing purposes with windows authentication enabled and Everything else disabled(I am not doing any ASP impersonation/double hop). Providers for windows authentication is Negotiate,Ntlm. Kernel mode authentication is enabled. The application pool is running with a Active Directory service account. The goal in the end is to use Kerberos for authentication but since it doesn't even work with Ntlm I have not started with the SPN and that stuff to get kerberos working yet.

It does however work if I change the application pool to be run with "ApplicationPoolIdentity" and not a AD service account? I must have the app pool running with the AD service account.

If I change the config to: 

<services>
  <service name="WcfService1.Service1">
    <endpoint address="" bindingConfiguration="hbinding" contract="WcfService1.IService1" binding="basicHttpsBinding"/>
  </service>
</services>
<bindings>
  <basicHttpsBinding>
    <binding name="hbinding">
      <security mode="Transport">
        <transport clientCredentialType="Windows"/>
      </security>
    </binding>
  </basicHttpsBinding>

It works fine(keeping the AD service account as well), why is that? I dont wanna use basicHttpsBinding

I see a difference in the client config file (using the wcftestclient) that when using wshttp it has: 

  <identity>
      <userPrincipalName value="serviceaccount@contoso.com" />
  </identity>

Does it have something to do with this? (Just guessing wildly here)

The endpoint is https,IIS 8 on Windows Server 2012R2.

2 answers

solution1
 0  2017-08-16 21:50:38

A lot of it depends on how is your domain set up, but you might try different type of Client credential type: 

<services>
  <service name="WcfService1.Service1">
    <endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
  </service>
</services>
<bindings>
  <wsHttpBinding>
    <binding name="testbinding">
      <security mode="Transport">
        <transport clientCredentialType="Ntlm"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

Also, with wsHttpBinding there is negotiation that takes place behind the scene. Because the guidance on that negotiation is not specifically defined it makes sense sometimes to turn it off: 

<services>
  <service name="WcfService1.Service1">
    <endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
  </service>
</services>
<bindings>
  <wsHttpBinding>
    <binding name="testbinding">
      <security mode="Transport">
        <message negotiateServiceCredential="false" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

A Kerberos domain must exist for it to work.

solution2
 0 ACCPTED  2017-08-16 21:54:14

On the client side the generated identity tag was causing the issue 

<identity>
  <userPrincipalName value="serviceaccount@contoso.com" />
</identity>

If i clear the value it works fine. So i cleared that value in the web.config. I can now setup kerberos and it works fine as well, gonna try setting the servicePrincipalName tag as well.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF service with WsHttpBinding & windows authentication failing with anonymous access error WCF wsHttpBinding with certificate authentication on multiple machines WCF service show exception when securing service with wshttpbinding and username authentication WCF wsHttpBinding Client Certificate Authentication without using store in client load balancing WCF with wsHttpBinding and Message Security with client credentials type windows WCF wsHttpBinding and XML Signatures WCF Service : WSHttpBinding Enable session with wsHttpBinding in wcf WCF with windows authentication problems WCF windows authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM