All geek questions in one place

Passing a Windows security token to an object that calls another web service using NTLM and Windows Authentication

I have a web application that calls a reference dll / api object that calls the wcf service.

Machine 1 = where the wcf service resides Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1

My code is:

 using (WindowsAuthenticationContext ctx = identity.Impersonate()){ //Call to the API goes here }

When I access a website with Machine 2 (IIS Server), it works. But when I access the website from another client computer, this leads to the error "Request token could not be satisfied."

NOTE. Api is already final and can no longer change it.

Any help would be greatly appreciated.

thanks

+5
source share
2 answers

You cannot do NTLM and then Kerberos through several transitions (servers). You must use Kerberos to delegate Windows authentication on all flights.

You need to configure SPNS to allow keberos to delegate authentication on all machines.

To configure these parameters, you will have to issue the following commands: provided that you have the right to change AD:

 SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1 SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1 SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2 SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2

Where ADDomain \ AppPoolCredential is the application pool credentials - note that you cannot use Network Service as the application pool credentials to make the Kerberos delegation work. You need to use a domain account.

In AD, you need to include the following objects to enable Kerberos delegation:

 ADDomain\AppPoolCredential1 ADDomain\AppPoolCredential2 Machine1 Machine2

Trust object for delegation in AD

For more information see here .

+2
source

NTLM runs in a machine with a local security context. If you want to use NTLM on different computers, these machines must have the same security context as the Active Directory domain. If your site (where the computers are located) does not have the same security context, this will not work. You can use the client certificate by changing the service configuration. Do not modify the DLL or code.

0
source

Source: https://habr.com/ru/post/1200370/

More articles:


All Articles