I have a self-hosted WCF service that is accessible using WebHttpBinding. This service should get a kerberos token from the internet explorer on the client and then he should impersonate with this token to access an file server via a network share on an other server.
Like this chain:
IE (Client) -> WCF-Service (BI-Server) -> impersonate -> access network share on file server
But IE presents a login dialog if I change the ClientCredentialType or add an ServiceAuthenticationBehavior with Kerberos settings (401 Unauthorized).
With NTLM I can access the WCF service and impersonate but the access to the file server leads to an UnauthorizedAccessException.
The same server has also a NetTcpBinding with Kerberos which works fine.
What am I doing wrong?
Delegation for Kerberos (all services) is activated on the BI server.
- ADS-Functional Level is 2012
- File server is a Windows Server 2003
- WCF/IIS-Host is a Windows Server 2012 R2
- Client is a Windows 8, IE 10
Now the code for the channel:
var listenUrl = "http://0.0.0.0:8735";
var bind = new WebHttpBinding(WebHttpSecurityMode.TransportCredentialOnly)
{
Security = {Transport = {ClientCredentialType = HttpClientCredentialType.InheritedFromHost}},
TransferMode = TransferMode.StreamedResponse
};
var host = new WebServiceHost(typeof(C_SIS), new Uri(listenUrl));
host.AddServiceEndpoint(typeof(IW_SIS), bind, "").Behaviors.Add(new WebHttpBehavior());
ServiceAuthenticationBehavior sab = null;
sab = host.Description.Behaviors.Find<ServiceAuthenticationBehavior>();
if (sab == null)
{
sab = new ServiceAuthenticationBehavior();
sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
host.Description.Behaviors.Add(sab);
}
else
{
sab.AuthenticationSchemes = AuthenticationSchemes.Negotiate | AuthenticationSchemes.Ntlm;
}
host.UnknownMessageReceived += new EventHandler<UnknownMessageReceivedEventArgs>(UnbekannterRecv);
host.Open();
