WCF Delegation Cheat Sheet

I’ve struggled getting kerberos delegation to work with WCF – say to access a database using Integrated Security via a ‘double hop’ – too often… The below is a (very) quick and dirty cheat sheet I use to get it all up and running..

  1. Choose an appropriate binding – generally wsHttpBinding or netTcpBinding. I believe you can get basicHttpBinding to use delegation, given you use transport level security, but I’ve not tried this myself.
  2. Ensure your service behaviours are configured with the correct impersonateCallerForAllOptions value
    <serviceBehaviors>
       <behavior name="ContourBehavior">
          <serviceAuthorization impersonateCallerForAllOperations="true" />
       </behavior>
    </serviceBehaviors>
  3. Add the ImpersonationOption.Required value to all relevant service methods implementations – not the contract interface! Failure to do this will cause a runtime error if you have followed the previous step.
    [OperationBehavior(Impersonation = ImpersonationOption.Required)]

     

  4. Inside your client app/web.config file, ensure each endpoint is configured with “allowedImpersonationLevel=”Delegation” in the endpoint behavior configuration.
    <endpointBehaviors>
        <behavior name="DelegationBehavior">
           <clientCredentials>
              <windows allowedImpersonationLevel="Delegation" />
           </clientCredentials>
        </behavior>
     </endpointBehaviors>

    This tells our WCF Client channel to grant, to the server,  the right to use the Client’s credentials.

  5. Create a new Domain\User to host your WCF Service or IIS Application pool. (I’ll refer to this guy as Domain\User from here on)
  6. Have your old mate Domain\User account “Trusted for Delegation”
  7. Set ‘Domain\User’ as your application pool identity (or as the account under which your self hosted service will run).
  8. Set up a Service Principal Name (SPN) for your service host.
      1. For wsBindings on IIS, the SPNs will be set thusly,
        setspn -s HTTP/[YourServerMachineName] Domain\User
        and
        setspn -s HTTP/[YourServerMachineName].[YourFullyQualifiedDomainName] Domain\User

        (Note: When hosting in IIS, you can skip this step if you wish to identify your service via it’s application pool identity using a User Principal Name
        http://msdn.microsoft.com/en-us/library/bb628618.aspx
        )

      2. and for netTcpBindings, thusly
        setspn -s [YourServiceName]/[YourServerMachineName] Domain\User
        and
        setspn -s [YourServiceName]/[YourServerMachineName].[YourFullyQualifiedDomainName] Domain\User
  9. Configure you SPNs in you Client configuration file

Here is a good basic explanation of all things delegation/kerberos/SPN. (Its written in the context of Microsoft Dynamics NAV but it still applies here)

That should be all that is required for most vanilla implementations.

A couple of suggestions when troubleshooting…

  • Is the Database hosted by a Domain Account?? Network Service or Local Service won’t fly!
  • Check your Host Machine has a HOST/[MachineName] SPN created. If not, create it.
  • Do you have duplicate SPNs? To check, run
    Setspn -x

    If your SPN appears in the returned list then you will need to resolve these duplicates.

  • Are you attempting to access a resource outside the scope of a WCF Operation? For example, if you are using a custom IServiceBehavior or some other WCF extension point interface in which you attempt to access a remote (or local) resource. If so, the Thread.CurrentPrincipal in this scope, is probably not impersonating your Client.

Otherwise, Good Luck.

Advertisements

2 thoughts on “WCF Delegation Cheat Sheet

  1. Pingback: WCF, Double-Hop delegation and The IEnumerable | markt.

  2. Delegation with transport security and WCF is such a tricky topic. Lots of bits and pieces of information everywhere. I have been trying to get all the steps required into a single document.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s