5

I have a web application that calls an object of a referenced dll/api that calls a wcf service.

Machine 1 = where the wcf service resides
Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1

My code:

using (WindowsAuthenticationContext ctx = identity.Impersonate()){
  //Call to the API goes here
}

When I access the website from Machine 2(IIS Server), It works. But when I access the website from another client machine, it gives me an error "The Request Token Could not be satisfied".

NOTE: The api is already final, and cannot modify it anymore.

Any help would be greatly appreciated.

Thanks

Maico
  • 171
  • 5
  • Sounds as though the web application is attempting to log into the WCF service using the security context of the client user, who logged onto the web server using NTLM authentication? I'm foggy on the details, but I think in order to make that work the web server and/or the account the web application is running as will need to be configured as "trusted for delegation" in the domain. – Harry Johnston Aug 15 '14 at 01:22
  • I did that, I registered the spn for the service and gave delegation to it, I also tried to give the a delegation for the user of the custom iis_user identity. Actually tried delegated everything for the iis user. And also for my test user. Any Ideas? – Maico Aug 15 '14 at 13:24
  • Did you give the web server's computer account in the AD the "trusted for delegation" flag? – Harry Johnston Aug 15 '14 at 23:43
  • Yes I did, both for the IIS Server and the machine where the Service is installed. Also gave delegation to the IIS User, my test user and the IIS_IUSRS user. – Maico Aug 18 '14 at 15:20
  • Do the IIS accounts have impersonation privilege on the IIS and WCF servers? – Harry Johnston Aug 18 '14 at 21:15
  • I am not sure how to assign impersonation privilege to a user or could it be done by user group? If so, how do we assign impersonation privilege to a User or to an AD Group? – Maico Aug 19 '14 at 13:21
  • Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Impersonate a client after authentication. Can be assigned to either groups or users. You would need to reboot for changes to take effect. (This is kind of a long shot, though, since if this was the problem I don't see why it would work when connecting to the web site from the local machine.) – Harry Johnston Aug 20 '14 at 01:48
  • Still no luck, the weird thing is that, if I login on the IIS machine using my test user it works, then I login to a remote computer using the same test user it works, IF i restart the IIS server and login again to my remote computer using the test user it does not work anymore. So very weird behaviour, I am in a cramming stage now. Whew.... – Maico Aug 20 '14 at 12:11

2 Answers2

2

You cannot do NTLM and then Kerberos over multiple hops (servers). You need to use Kerberos to delegate windows authentication over all the hops.

You need to configure SPNS to enable kerberos to delegate authentication across machines.

To configure these, you will have to issue the following commands - assuming you have right to modify AD:

SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1

SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2
SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2

Where ADDomain\AppPoolCredential is the credential of the app pool - note you cannot use Network Service as the app pool credential to get Kerberos delegation to work. You need to use a domain account.

IN AD, you need to enable the following objects for allow Kerberos Delegation:

ADDomain\AppPoolCredential1
ADDomain\AppPoolCredential2
Machine1
Machine2

Trust object for delegation in AD

For more information, see here

Donal
  • 31,121
  • 10
  • 63
  • 72
0

NTLM works in the machine with the local security context. If you want to use NTLM over different machines these machines should share the same security context like Active Directory Domain. If your site (where machines are in) does not have the same security context this would not work. You can use client certificate by changing the service's config. Not changing the dll or code.

Mert Gülsoy
  • 2,779
  • 1
  • 19
  • 23