Wednesday, May 12, 2010

Access SQL Server with WCF Kerberos and allow double hop impersonation

If you need to access SQL Server from a WCF Service using kerberos (in order to pass credentials and enable impersonation), first you need to configure SQL Server to run with an Domain Account, set the SQL Computer and the user account to be trusted for delegation in the Active Directory, and you must run the setspn commands:


setspn –a MSSQLServer/machinename Domain\ServiceUserName

setspn –a MSSQLServer/machinenameFQDN Domain\ServiceUserName

setspn –a MSSQLServer/machinename:1433 Domain\ServiceUserName

setspn –a MSSQLServer/machinenameFQDN:1433 Domain\ServiceUserName


A sample code of the WCF Service can be as follows:


 public class MyWCFService: ServiceBase


        private ServiceHost serviceHost = null;


        protected override void OnStart(string[] args)


            if (serviceHost != null)





            serviceHost = new ServiceHost(typeof(MyWCFService));





        protected override void OnStop()


            if (serviceHost != null)



                serviceHost = null;





The application configuration file can be as follows:





        <binding name="tcpBinding" />




      <service behaviorConfiguration="MyServiceBehaviorWCF" name="MyWCFService">

        <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" />

        <endpoint binding="netTcpBinding" bindingConfiguration="tcpBinding"

          name="Tcp" contract="IMyWCFService" />



               <add baseAddress="net.tcp://machineA.domain.local:9000/MyWCFService" />







        <behavior name="MyServiceBehaviorWCF">

          <serviceMetadata httpGetEnabled="true" />






When you install the Windows Service that host the WCF you need to set the account under which it runs for example Domain\WCFAccount.

The WCF client configuration needs to be configured as follows, pay attention to the identity section, because you need to specify the SPN if you want to use kerberos:




    <binding name="tcpBinding" />




   <endpoint address="net.tcp://machineA.domain.local:9000/service" binding="netTcpBinding"

    bindingConfiguration="tcpBinding" contract="IMyWCFService"



       <servicePrincipalName value="MyWCFService/machineA.domain.local"/>




How do I configure the servicePrincipalName for my service? You need to use the Windows Service Name (MyWCFService)

  1. Add Domain\WCFAccount to the Active Directory
  2. Add the SPN for the WCF hosting service for the machine where you are running the service:
  3. Setspn –a MyWCFService/machineA.domain.local:9000 Domain\WCFAccount
  4. Setspn –a MyWCFService/machineA:9000 Domain\WCFAccount
  5. Mark the account Domain\WCFAccount  as trusted for delegation
  6. Start the Windows Service.



Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP

Costa Rica

Technorati Tags: SQL Server

LiveJournal Tags: SQL Server Tags: SQL Server

Note: Cross posted from Eduardo Castro.


No comments:

SQL Server 2016 Stretch Databases

El SQL Server Stretch Database permite que los datos históricos o de bitácoras puedan ser movidos hacia Azure, específicamente permite mover...