1

We have a client that connects to a web service (service1.svc) with the URL https:\destination.domain\Service1.svc. This web service connects to a second web service (service2.asmx) with the URL https:\localhost.domain\service2.asmx. Both service are hosted on the same webserver. The DNS on the Domain controller sets destination.domain to point to the IP of webserver and localshost.domain to 127.0.0.1. The application pool account is a global service managed account that is configured to allow delegation and is called webserveraccount. The application pool is configured to use the appPoolIdentity.

We see a 401 autherisation error connecting to the second webservice (service2.asmx). I have also see the a KDC_ERR_BADOPTION which makes me this our SPN configuration is incorrect. What would the correct format for SPN in the above scenario? Or is this not a kerberos related issue?

AndyS
  • 11
  • 1
  • 401 means you lack authorization header in your request. Does your web service expect basic or token authorization ? – Wildfire Sep 29 '20 at 09:43
  • To be honest I'm not sure. The existing code passes the default credentials when it creates the web service object. I will investigate - this isn't code I wrote, nor am a very knowledgeable in this area. – AndyS Sep 29 '20 at 10:24
  • Where are you seeing KDC_ERR_BADOPTION? How are the two app pools configured? Same account, or different? The expected format of the SPN is http/exactmatch.of.domain.com[:port] – Steve Sep 29 '20 at 15:00
  • I must apologise - I failed to reply with a solution. We set the AllowedImpersonationLevel on the client credentials of the WCF client to Delegation. All started working after that. SPNs for kerberos were set correctly and the web service machine set for kerberos delegation. – AndyS Jul 08 '21 at 11:56

0 Answers0