All geek questions in one place

WCF Rest Service Windows Authentication Through a Browser

The wcf rest service is provided, which starts with HttpClientCredentialType.Windows and provides user authentication through keberos.

private static void Main(string[] args) { Type serviceType = typeof (AuthService); ServiceHost serviceHost = new ServiceHost(serviceType); WebHttpBinding binding = new WebHttpBinding(); binding.Security.Mode = WebHttpSecurityMode.TransportCredentialOnly; binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows; ServiceEndpoint basicServiceEndPoint = serviceHost.AddServiceEndpoint(typeof(IAuthService), binding, "http://notebook50:87"); basicServiceEndPoint.Behaviors.Add(new WebHttpBehavior()); Console.WriteLine("wcf service started"); serviceHost.Open(); Console.ReadLine(); } public class AuthService : IAuthService { public List<string> GetUserInformation() { List<string> userInfo = new List<string>(); userInfo.Add("Environment.User = " + Environment.UserName); userInfo.Add("Environment.UserDomain = " + Environment.UserDomainName); if (OperationContext.Current != null && OperationContext.Current.ServiceSecurityContext != null) { userInfo.Add("WindowsIdentity = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name); userInfo.Add("Auth protocol = " + OperationContext.Current.ServiceSecurityContext.WindowsIdentity.AuthenticationType); } else { userInfo.Add("WindowsIdentity = empty"); } WebOperationContext.Current.OutgoingResponse.ContentType = "text/plain"; return userInfo; } } [ServiceContract] public interface IAuthService { [OperationContract] [WebInvoke(Method = "GET", ResponseFormat = WebMessageFormat.Json, UriTemplate = "test/")] List<string> GetUserInformation(); }

When I run this as a console application and then open the website http://notebook50:87/test/ in Internet Explorer from another computer, I get a "bad request" response. I turned on kerberos logging and it shows me KDC_ERR_PREAUTH_REQUIRED

I can solve this problem by creating a Windows service and running it in the "Local System Account" section. In this case, the client can authenticate.

Question: What permissions / settings does the user (who runs this wcf service) need to get the same behavior as when starting the application as a Windows service on the local system? Is this related to the name of the service principle?

+5
source share
2 answers

Now it works. It really was a problem with SPN. At first I installed SPN as setpn -A HTTP / notebook50.foo.com , and Kerberos authentication did not work.

Now I set it as setspn -A HTTP / notebook50.foo.com username , where username is the user the service is running under.

From the SPN documentation I read, it was not clear to me that I should set up a user account this way.

It would be great if you could explain what is happening here, and possibly a link to the documentation for this scenario.

+3
source

You can stop this error by enabling the option β€œNo Kerberos pre-authentication is required” for this user account in Active Directory, and computers β†’ properties β†’ account.

0
source

Source: https://habr.com/ru/post/1201653/

More articles:


All Articles