Access SQL Server with WCF Kerberos and allow double hop impersonation

If you need to access SQL Server from a WCF Service using kerberos (in order to pass credentials and enable impersonation), first you need to configure SQL Server to run with an Domain Account, set the SQL Computer and the user account to be trusted for delegation in the Active Directory, and you must run the setspn commands:

 

setspn –a MSSQLServer/machinename Domain\ServiceUserName

setspn –a MSSQLServer/machinenameFQDN Domain\ServiceUserName

setspn –a MSSQLServer/machinename:1433 Domain\ServiceUserName

setspn –a MSSQLServer/machinenameFQDN:1433 Domain\ServiceUserName

 

A sample code of the WCF Service can be as follows:

 

 public class MyWCFService: ServiceBase

    {

        private ServiceHost serviceHost = null;

 

        protected override void OnStart(string[] args)

        {

            if (serviceHost != null)

            {

                serviceHost.Close();

            }

 

            serviceHost = new ServiceHost(typeof(MyWCFService));

 

            serviceHost.Open();

        }

 

        protected override void OnStop()

        {

            if (serviceHost != null)

            {

                serviceHost.Close();

                serviceHost = null;

            }

        }

      }

 

The application configuration file can be as follows:

 

<system.serviceModel>

    <bindings>

      <netTcpBinding>

        <binding name="tcpBinding" />

      </netTcpBinding>

    </bindings>

    <services>

      <service behaviorConfiguration="MyServiceBehaviorWCF" name="MyWCFService">

        <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" />

        <endpoint binding="netTcpBinding" bindingConfiguration="tcpBinding"

          name="Tcp" contract="IMyWCFService" />

        <host>

          <baseAddresses>

               <add baseAddress="net.tcp://machineA.domain.local:9000/MyWCFService" />

          </baseAddresses>

        </host>

      </service>

    </services>

    <behaviors>

      <serviceBehaviors>

        <behavior name="MyServiceBehaviorWCF">

          <serviceMetadata httpGetEnabled="true" />

        </behavior>

      </serviceBehaviors>

    </behaviors>

  </system.serviceModel>

 

When you install the Windows Service that host the WCF you need to set the account under which it runs for example Domain\WCFAccount.

The WCF client configuration needs to be configured as follows, pay attention to the identity section, because you need to specify the SPN if you want to use kerberos:

 

<bindings>

   <netTcpBinding>

    <binding name="tcpBinding" />

   </netTcpBinding>

  </bindings>

            <client>

   <endpoint address="net.tcp://machineA.domain.local:9000/service" binding="netTcpBinding"

    bindingConfiguration="tcpBinding" contract="IMyWCFService"

    name="IMyWCFService">

     <identity>

       <servicePrincipalName value="MyWCFService/machineA.domain.local"/>

     </identity>

   </endpoint>

 

How do I configure the servicePrincipalName for my service? You need to use the Windows Service Name (MyWCFService)

  1. Add Domain\WCFAccount to the Active Directory
  2. Add the SPN for the WCF hosting service for the machine where you are running the service:
  3. Setspn –a MyWCFService/machineA.domain.local:9000 Domain\WCFAccount
  4. Setspn –a MyWCFService/machineA:9000 Domain\WCFAccount
  5. Mark the account Domain\WCFAccount  as trusted for delegation
  6. Start the Windows Service.

 

Regards,

Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP

http://mswindowscr.org

http://comunidadwindows.org

Costa Rica

Technorati Tags: SQL Server

LiveJournal Tags: SQL Server

del.icio.us Tags: SQL Server

http://ecastrom.blogspot.com

http://ecastrom.wordpress.com

http://ecastrom.spaces.live.com

http://universosql.blogspot.com

http://todosobresql.blogspot.com

http://todosobresqlserver.wordpress.com

http://mswindowscr.org/blogs/sql/default.aspx

http://citicr.org/blogs/noticias/default.aspx

http://sqlserverpedia.blogspot.com/




Note: Cross posted from Eduardo Castro.

Permalink

Comments

Popular posts from this blog

Cómo identificar consultas más pesadas en SQL Server

Permitiendo la administración de los jobs a usuarios que no son System Administrators en SQL Server Agent 2005 o superior

FileTable en SQL Server 2012