Problem is that I cannot get windows authentication working with the wsHttpBinding.
This is the config:
<services>
<service name="WcfService1.Service1">
<endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="testbinding">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
This is the response from the server when trying to call a method: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oXMwcaADCgEBomoEaGBmBgkqhkiG9xIBAgIDAH5XMFWgAwIBBaEDAgEepBEYDzIwMTcwODE2MjA1MjQwWqUFAgMK8G2mAwIBKakOGwxDT1JQLlNBQUIuU0WqGjAYoAMCAQGhETAPGw1jb3JwYXBwbDU5ODgk'. Also there is a inner exception saying: "The target principal name is incorrect"
I have setup a new site in IIS fresh for testing purposes with windows authentication enabled and Everything else disabled(I am not doing any ASP impersonation/double hop). Providers for windows authentication is Negotiate,Ntlm. Kernel mode authentication is enabled. The application pool is running with a Active Directory service account. The goal in the end is to use Kerberos for authentication but since it doesn't even work with Ntlm I have not started with the SPN and that stuff to get kerberos working yet.
It does however work if I change the application pool to be run with "ApplicationPoolIdentity" and not a AD service account? I must have the app pool running with the AD service account.
If I change the config to:
<services>
<service name="WcfService1.Service1">
<endpoint address="" bindingConfiguration="hbinding" contract="WcfService1.IService1" binding="basicHttpsBinding"/>
</service>
</services>
<bindings>
<basicHttpsBinding>
<binding name="hbinding">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpsBinding>
It works fine(keeping the AD service account as well), why is that? I dont wanna use basicHttpsBinding
I see a difference in the client config file (using the wcftestclient) that when using wshttp it has:
<identity>
<userPrincipalName value="serviceaccount@contoso.com" />
</identity>
Does it have something to do with this? (Just guessing wildly here)
The endpoint is https,IIS 8 on Windows Server 2012R2.
A lot of it depends on how is your domain set up, but you might try different type of Client credential type:
<services>
<service name="WcfService1.Service1">
<endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="testbinding">
<security mode="Transport">
<transport clientCredentialType="Ntlm"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Also, with wsHttpBinding there is negotiation that takes place behind the scene. Because the guidance on that negotiation is not specifically defined it makes sense sometimes to turn it off:
<services>
<service name="WcfService1.Service1">
<endpoint address="" bindingConfiguration="testbinding" contract="WcfService1.IService1" binding="wsHttpBinding"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="testbinding">
<security mode="Transport">
<message negotiateServiceCredential="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
A Kerberos domain must exist for it to work.
On the client side the generated identity tag was causing the issue
<identity>
<userPrincipalName value="serviceaccount@contoso.com" />
</identity>
If i clear the value it works fine. So i cleared that value in the web.config. I can now setup kerberos and it works fine as well, gonna try setting the servicePrincipalName tag as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.