1

I've got a standalone on-premise Service Fabric Cluster that is secured using Windows Authentication.

In this application I have a ASP.NET Core WebApi Stateless service that tries to communicate with another stateless service via the remoting. Unfortunately I'm getting the following error when the WebApi service tries to RPC to the stateless service:

System.AggregateException: One or more errors occurred. ---> System.Fabric.FabricConnectionDeniedException: Not authorized to connect ---> System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x80071C43
       at Microsoft.ServiceFabric.FabricTransport.NativeServiceCommunication.IFabricServiceCommunicationClient2.EndRequest(IFabricAsyncOperationContext context)
       at Microsoft.ServiceFabric.FabricTransport.Client.FabricTransportClient.EndRequest(IFabricAsyncOperationContext context)
       at System.Fabric.Interop.AsyncCallOutAdapter2`1.Finish(IFabricAsyncOperationContext context, Boolean expectedCompletedSynchronously)

   --- End of inner exception stack trace --

Futhermore, I can confirm that

  • When deploying this same application to a "development cluster" (i.e. either my local machine or another a remote Service Fabric cluster running all it's Nodes on one machine), I don't get the error - hence potentially an issue with the AD accounts I've used to setup my multi-machine cluster (I'm using a machine group account).

  • When creating the Client Proxy, I do setup the Security Credentials to use windows authentication - i.e. 

            var transportSettings = new FabricTransportRemotingSettings
        {
            SecurityCredentials = new WindowsCredentials()
        };
        Func<IServiceRemotingCallbackClient, IServiceRemotingClientFactory> clientProxyFactory = c => new FabricTransportServiceRemotingClientFactory(transportSettings);

        var serviceProxyFactory = new ServiceProxyFactory(clientProxyFactory);
        TService clientProxy = serviceProxyFactory.CreateServiceProxy<TService>(uri);
        return clientProxy;

  • In the above code, if I instead use: SecurityCredentials = new NoneSecurityCredentials() then I get a similar FabricConnectionDeniedException but the message is slightly different saying that the Client is not authorised to connect. This makes sense - but again, potentially indicates that there is an issue with my transport settings...

Adriaan de Beer
  • 1,136
  • 13
  • 23
  • **Update 1:** I've also played around with using [RunAs](https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security) policies and specifying different system and domain accounts however I still cannot get past the same error. – Adriaan de Beer Jul 04 '17 at 12:02
  • **Update 2:** I had success by using NoneSecurityCredentials() both client-side and service-side (when I originally used NoneSecurityCredentials I forgot to also use this setting in the Stateless service's CreateServiceInstanceListeners() method, hence the reason client authorisation was rejected with my original attempt). Whilst this provides a workaround, it's not optimal from a security point of view. Given that all services run under NetworkService NT account, I'm guessing the root of this issue is with how the machine group AD account has been setup... – Adriaan de Beer Jul 05 '17 at 02:03
  • **Anyone have some ideas on how I can get WindowsCredentials to work?** – Adriaan de Beer Jul 17 '17 at 03:42
  • I have hit the same problem, did you resolve this issue? – Dharmesh Tailor Sep 13 '18 at 05:12

0 Answers0