Checklist for multi hop delegation in ASP.NET and WCF using wsHttpBinding.

  • Article

 

If you need to access resources by using the authenticated caller's identity or by using a specific Windows identity other than the process identity, you can configure your ASP.NET application to use impersonation. Moreover, delegation allows you to use an impersonation token to access multiple network resources, such as the following scenario:

clip_image002

We have a sample project to achieve this requirement. The sample code can be downloaded here: https://github.com/Adamus7/Double-Hop-WCF-Sample

Here is checklist for similar multi hop delegation problems:

1. Make sure the host server and account is trusted for Delegation.

clip_image004

clip_image006

2. Enable impersonation for ASP.NET web application. Enabled Anonymous Authentication and Windows Authentication.

3. Add the following attribute to each method in the WCF service that needs impersonation/delegation.

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]

4. Service side:

a. Use wsHttpBinding with Windows credential.

<wsHttpBinding>

    <binding name="wsHttpBinding">

<security mode="Message">

         <message clientCredentialType="Windows" />

      </security>

     </binding>

    </wsHttpBinding>

</bindings>

b. Adding impersonateCallerForAllOperations="true" in serviceBehaviors.

<behaviors>

  <serviceBehaviors>

    <behavior name="ServiceBehavior">

      <serviceMetadata httpGetEnabled="true" />

      <serviceDebug includeExceptionDetailInFaults="false" />

<serviceAuthorization impersonateCallerForAllOperations="true" />

</behavior>

  </serviceBehaviors>

</behaviors>

c. Adding SPN for service endpoint.

<services>

<service behaviorConfiguration="ServiceBehavior" name="WCF_A.ServiceA">

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"

contract="WCF_A.IServiceA">

<identity>

<servicePrincipalName value="HOST/WS1" />

<dns value="localhost" />

</identity>

</endpoint>

<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

</service>

</services>

5. Client side

a. Add allowNtlm="false" allowedImpersonationLevel="Delegation" for ClientCreentials elements.

<endpointBehaviors>

        <behavior name="WCFAClientBehavior">

          <clientCredentials>

<windows allowNtlm="false" allowedImpersonationLevel="Delegation"/>

          </clientCredentials>

        </behavior>

</endpointBehaviors>

b. To enable the double hop, the client calling the WCF service needs to set the impersonation level of the WCF service to Delegate.  This is performed with the following code:

service.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;

 

More information:

1) https://blogs.msdn.microsoft.com/securitytools/2009/11/03/double-hop-windows-authentication-with-iis-hosted-wcf-service/

2) https://msdn.microsoft.com/en-us/library/ms730088(v=vs.110).aspx

3) https://msdn.microsoft.com/en-us/library/ff647248.aspx

 

Ray Wang from DSI team