Access SQL Server with WCF Kerberos and allow double hop impersonation
If you need to access SQL Server from a WCF Service using kerberos (in order to pass credentials and enable impersonation), first you need to configure SQL Server to run with an Domain Account, set the SQL Computer and the user account to be trusted for delegation in the Active Directory, and you must run the setspn commands:
setspn –a MSSQLServer/machinename Domain\ServiceUserName
setspn –a MSSQLServer/machinenameFQDN Domain\ServiceUserName
setspn –a MSSQLServer/machinename:1433 Domain\ServiceUserName
setspn –a MSSQLServer/machinenameFQDN:1433 Domain\ServiceUserName
A sample code of the WCF Service can be as follows:
public class MyWCFService: ServiceBase
{
private ServiceHost serviceHost = null;
protected override void OnStart(string[] args)
{
if (serviceHost != null)
{
serviceHost.Close();
}
serviceHost = new ServiceHost(typeof(MyWCFService));
serviceHost.Open();
}
protected override void OnStop()
{
if (serviceHost != null)
{
serviceHost.Close();
serviceHost = null;
}
}
}
The application configuration file can be as follows:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="tcpBinding" />
</netTcpBinding>
</bindings>
<services>
<service behaviorConfiguration="MyServiceBehaviorWCF" name="MyWCFService">
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" />
<endpoint binding="netTcpBinding" bindingConfiguration="tcpBinding"
name="Tcp" contract="IMyWCFService" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://machineA.domain.local:9000/MyWCFService" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehaviorWCF">
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
When you install the Windows Service that host the WCF you need to set the account under which it runs for example Domain\WCFAccount.
The WCF client configuration needs to be configured as follows, pay attention to the identity section, because you need to specify the SPN if you want to use kerberos:
<bindings>
<netTcpBinding>
<binding name="tcpBinding" />
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://machineA.domain.local:9000/service" binding="netTcpBinding"
bindingConfiguration="tcpBinding" contract="IMyWCFService"
name="IMyWCFService">
<identity>
<servicePrincipalName value="MyWCFService/machineA.domain.local"/>
</identity>
</endpoint>
How do I configure the servicePrincipalName for my service? You need to use the Windows Service Name (MyWCFService)
- Add Domain\WCFAccount to the Active Directory
- Add the SPN for the WCF hosting service for the machine where you are running the service:
- Setspn –a MyWCFService/machineA.domain.local:9000 Domain\WCFAccount
- Setspn –a MyWCFService/machineA:9000 Domain\WCFAccount
- Mark the account Domain\WCFAccount as trusted for delegation
- Start the Windows Service.
Regards,
Ing. Eduardo Castro Martínez, PhD – Microsoft SQL Server MVP
Costa Rica
Technorati Tags: SQL Server
LiveJournal Tags: SQL Server
del.icio.us Tags: SQL Server
http://ecastrom.spaces.live.com
http://universosql.blogspot.com
http://todosobresql.blogspot.com
http://todosobresqlserver.wordpress.com
http://mswindowscr.org/blogs/sql/default.aspx
http://citicr.org/blogs/noticias/default.aspx
http://sqlserverpedia.blogspot.com/
Permalink
Comments