This project is read-only.

Flowing Windows Credentials

Topics: Technical Questions
May 6, 2010 at 11:09 AM

Hi

I have configured a virtual service in MSE and applied policies to flow the windows credentials to the physical service (hosted on other machine). When i test the virtual service using a client application which is on a third machine i get the below mentioned error

"The message could not be processed because the action 'SendDetails' is invalid or unrecognized."

Things done specific to MSE are as below:

                  1. binding used for virtual endpoint is "wsHttpBinding" with "security mode=Message", clientCredentialType="Windows".

                  2. A custom policy is applied to the resource with assertions to flow the credentials and set the Spn.

  <PolicyModel xmlns="http://microsoft.com/mse/2007/runtime/policyModel" xmlns:mse="http://services.microsoft.com/MSE" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
   <IdentityAwareChannelElement IdentityFlowType="Windows" IssuerAddress="" LockItem="False" xmlns="clr-namespace:Microsoft.MSE.Behaviors.Security.Configuration;assembly=Microsoft.MSE.Behaviors.Security">
  </IdentityAwareChannelElement>
  <ServiceIdentityElement IdentityType="Spn" IdentityValue=(a valid spn) xmlns="clr-namespace:Microsoft.MSE.Behaviors.Security.Configuration;assembly=Microsoft.MSE.Behaviors.Security">
  </ServiceIdentityElement>
</PolicyModel>

At the client application Impersonation level is set to Delegation. Server are set for delegation and have a valid Spn.

On the other hand when i try using basicHttpBinding with security mode="TransportCredentialOnly" and run the client application from a different machine i get the below error

“The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.”

Do you have any idea as to what needs to be done other than this to make the Delegation working.

May 6, 2010 at 1:15 PM

Hi,

Have you checked the order in which the policies are there. They shouls be in the order as below applied to the resource.

ServiceIdentity
IdentityAwareChannel

 

May 6, 2010 at 6:56 PM

Also, with Message security, your virtual endpoint needs to have the message protection assertion applied in a policy or you will receive the invalid action error you are reporting.

May 7, 2010 at 6:54 AM

one more thing , how are you testing this flow. Is it using the service tester ? You can try the same by creating client yourself as well and test this.

May 7, 2010 at 8:43 AM

Hi,

I am testing this using a client application. I have client app, MSE and physical service hosted on three different machines.

I have done the above mentioned changes, now i am getting the below error.

Communication Error in InnerProcessMessage: The caller was not authenticated by the service.

 

May 7, 2010 at 9:04 AM
Edited May 7, 2010 at 9:15 AM

Please change the following in  client application.

 

<<ServiceReferenceInstance>>.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;

 

It should work. Let me know if this works.

Ref :http://msdn.microsoft.com/en-us/library/system.security.principal.tokenimpersonationlevel.aspx

 

May 7, 2010 at 10:04 AM

Hi,

I had already set the Impersonation level as Delegation , but still got the exception.

This is the code written in my client app.

WindowsIdentity id = System.Threading.Thread.CurrentPrincipal.Identity as System.Security.Principal.WindowsIdentity;
            using (id.Impersonate())
            {
                ServiceReference1.ServiceClient client= new ServiceReference1.ServiceClient();
                client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
                client.ClientCredentials.Windows.AllowNtlm = false;
               
                Response.Write(client.Data());
     }

May 7, 2010 at 10:13 AM

Are all the three machine on same domain? Atleast the client machine from where you are calling ? All of them need to ba on the same domain.

I assume that you have configured the kerberos configuration properly. Have u associated the SPN to the service account and that runtime should be running on that account  . Check for delegation also configuered.

try removing this statement ---client.ClientCredentials.Windows.AllowNtlm = false;

did you update the channed moniker on the resource to use <ChannelModelExt>

try these & lets see what happens.

May 7, 2010 at 10:27 AM

Quickly to corner the issue , configure a sample WCF service in between Resource & client  like the way in which MSE behaves. The intermediate WCF should do nothing but forward the request to the resource. If this scenario doesnt work , please relook at the configuration.  First get this working.

If this works  then MSE would work.