In Part 1 of my WCF and Kerberos delegation post I showed you the basic components of my demo and explained how to do basic configurations for SharePoint to allow Kerberos authentication. In this second part I will focus on how to develop configuration files for the client and the web service and explain the steps needed for configuring IIS and Active Directory.

Configuring the Web Service for Kerberos Authentication

Configuring a WCF web service requires a couple of specific settings in Active Directory, Internet Information Services (IIS) and the web.config file.

Setting SPN for the AppPool Service User

1. Open Active Directory Users & Computers on your domain controller.
2. Select the service user running the AppPool (created in Part 1) and open the Properties window.
3. Switch to the Attribute Editor tab (only visible if Advanced Features are selected) and add the following SPN values:
   
   
   
   Note:
   After creating the SPN values verify that there aren’t any duplicate SPNs by running the following command from the command prompt: setspn –x
   

Web.config

Choosing the correct settings in the web.config is definitely the most important part of this demo.

Key aspects of the config file are:

• use wsHttpBinding
• set the proper security settings for the wsHttpBinding
• define the service principal name for the endpoint
• configure an endpoint behavior and force Kerberos by setting allowNtlm=false
• also choose Delegation as the allowed impersonation level

Web.config

<?xmlversion="1.0"?>
<configuration>
<configSections>
</configSections>
<appSettings>
<addkey="aspnet:UseTaskFriendlySynchronizationContext"value="true"/>
</appSettings>
<system.web>
<compilationdebug="true"targetFramework="4.5"/>
<httpRuntimetargetFramework="4.5"/>
<customErrorsmode="Off"/>
</system.web>
<system.serviceModel>
<client>
<endpointaddress="http://green.colors.selfhost.corp.microsoft.com/Hello/HelloService.svc"
binding="wsHttpBinding"bindingConfiguration="WSHttpBinding_IHelloContract"
contract="KRBServer.IKrbService1"name="WSHttpBinding_IHelloContract"behaviorConfiguration="NoNTLM">
</endpoint>
</client>
<behaviors>
<serviceBehaviors>
<behaviorname="MyServiceTypeBehaviors">
<serviceMetadatahttpGetEnabled="true"/>
<serviceDebugincludeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behaviorname="NoNTLM">
<clientCredentials>
<windowsallowNtlm="false"allowedImpersonationLevel="Delegation"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<bindingname="KerberosBinding">
<security>
<messagenegotiateServiceCredential="true"establishSecurityContext="false"/>
</security>
</binding>
<bindingname="WSHttpBinding_IHelloContract">
<security>
<messagenegotiateServiceCredential="true"establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<servicename="KRBServer.KrbService1"behaviorConfiguration="MyServiceTypeBehaviors">
<endpointaddress=""
binding="wsHttpBinding"bindingConfiguration="KerberosBinding"contract="KRBServer.IKrbService1">
<identity>
<servicePrincipalNamevalue="HTTP/red.colors.selfhost.corp.microsoft.com"/>
</identity>
</endpoint>
</service>
</services>
<serviceHostingEnvironmentaspNetCompatibilityEnabled="true"multipleSiteBindingsEnabled="true"/>
</system.serviceModel>
<system.webServer>
<modulesrunAllManagedModulesForAllRequests="true"/>
<directoryBrowseenabled="true"/>
</system.webServer>
</configuration>

Deploying the Web Service

I use Web Deploy (visit http://msdn.microsoft.com/en-us/library/dd465337.aspx for more details) and the following settings to publish the web service directly from Visual Studio:

After the deployment you will need to change the AppPool so that it runs under the service user which has been created in Part 1.

1. Open the Internet Information Services (IIS) Manager (RED).
2. Select the deployed application and choose Basic Settings… from the Actions pane.
3. Change the AppPool – the AppPool needs to be running under the service account which has the assigned SPNs.
   
   
   
4. Select Authentication in the Home Page of your application and enable Windows Authentication and Anonymous Authentication. 
   
   
   
5. Choose Windows Authentication and click Providers… from the Actions pane. Make sure the following providers are selected and also that the order of these providers is as followed.
   
   
   
6. Turn off Kernel-mode authentication by selecting Windows Authentication and clicking Advanced Settings… from the Actions pane.
   
   
   
   Note:
   For in-depth information on Kernel-mode authentication and IIS hosted WCF please visit this blog post.
   
7. To verify that Kerberos authentication is working correctly, connect the WCF Test Client to your web service. Invoke the UploadFile operation with a random string as parameter.
   
   
   
   The upload won’t succeed - however, authentication will occur and you should be able to verify whether it’s Kerberos or NTLM. 
   
8. To verify the authentication mode, check the Event Viewer on the system running IIS for Audit Success events (Event ID 4624) in Windows Logs –> Security.
   
   
   
   If you find Kerberos as your Logon Process you have successfully configured your web service for Kerberos authentication.

Configuring the Client for Kerberos Authentication

Besides adding a service reference, a few customizations of the config file are required on the client side.

App.config

The key customizations of the app.config file are:

• use wsHttpBinding and configure the required security settings as shown below
• create an endpoint behavior and set allowedImpersonationLevel = Delegation

App.config

<?xmlversion="1.0"encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntimeversion="v4.0"sku=".NETFramework,Version=v4.5"/>
</startup>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<bindingname="WSHttpBinding_IKrbService1">
<security>
<messageclientCredentialType="Windows"negotiateServiceCredential="true"
establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpointaddress="http://red.colors.selfhost.corp.microsoft.com/KRBDemo/KrbService1.svc"
behaviorConfiguration="DelegationBehavior"binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IKrbService1"contract="KrbSvc.IKrbService1">
<identity>
<servicePrincipalNamevalue="HTTP/red.colors.selfhost.corp.microsoft.com"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behaviorname="DelegationBehavior">
<clientCredentials>
<windowsallowedImpersonationLevel="Delegation"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

Set up Kerberos Constrained Delegation

Delegation allows a front-end service to forward the client’s request to a back-end service in such a way that the back-end service can also impersonate the client. Kerberos constrained delegation restricts those back-end service running on specific servers. Since delegation is a Windows domain feature there are a couple of configurations which have to be made on the domain controller.

1. Open Active Directory Users & Computers on your domain controller.
2. Locate the service user running the WebServices AppPool (e.g. IIS_SERVICE_RED) and open the Properties window.
3. Switch to the Delegation tab (which will only be displayed if a service principal name has been defined for this user).
4. Select Trust this user for delegation to specified services only and Use Kerberos only.
5. Click Add… to assign an SPN of a service for delegation.
6. Click Users and Computers… to locate your SharePoint service user in Active Directory.
7. Select available service (HTTP) and mark it.
   
   
   
8. Verify that the HTTP service of your SharePoint service user has been assigned for delegation – it must appear in the list of services to which the account can present delegated credentials.
   
   
   
9. Also double-check that the implementation of your web service is decorated with [OperationBehavior(Impersonation = ImpersonationOption.Required)] as explained in Part 1. Delegation will not work if this attribute is missing.

Testing the File Upload

Finally we need to test the whole demo and check if the file upload is working an delegation happening.

1. Run the KRBClient on your client.
   
   
   
2. Open the document library in SharePoint and verify that the file has been uploaded successfully. In the Modified By column you should see the name of the user who has initially run the client application.
   
       
   

Summary

In this demo I showed you all the configuration steps needed, so that a client application can connect to a back-end service (like SharePoint) through a WCF web service. Since this demo also shows you how to delegate credentials, it will hopefully help you solving issues you might run into with your WCF designs. The sample code developed for this demo can be downloaded here.

Enjoy,
Florian