问题
I have a client console application which has got some user credentials - domain\user and plain-text password. The client app obtains windowsidentity object for that user by invoking LogonUser (dwLogonType:LOGON32_LOGON_NETWORK) win32 API. I use windowsidentity to impersonate and make WCF Service call (hosted on different machine). The WCF Service is configured to use TCP protocol with windows integrated security. The call fails with SecurityNegotiation exception with error: The remote server did not satisfy the mutual authentication requirement.
My assumption here is that the server sees anonymous client identity which it rejects because the endpoint is configured to use windows integrated authentication. My guess is that the server account needs to be set for windows delegation. Is my guess correct?
Also,
- Is my choice of dwLogonType = LOGON32_LOGON_NETWORK correct?
- Can the token returned by LogOnUser (dwLogonType = LOGON32_LOGON_NETWORK) be used for making remote WCF calls?
回答1:
The one who is impersonating should have delegation right if it wants to access network resources under user's identity. In the mentioned scenario client account (under which the client is running) should have delegation right since it is is impersonating some user and wants to propogate the user identity to a remote WCF Service.
Is my choice of dwLogonType = LOGON32_LOGON_NETWORK correct?
No.
Can the token returned by LogOnUser (dwLogonType = LOGON32_LOGON_NETWORK) be used for making remote WCF calls?
With dwLogonType = LOGON32_LOGON_NETWORK option, LogonUser returns a token that cannot be used for propogating user identity to network resources.
The option dwLogonType = LOGON32_LOGON_NETWORK_CLEARTEXT with LogonUser fixed the issue. With that option LogonUser generated a token that is capable of accessing network resources under user's identity.
I give complete credit to arx for my solution. It is only with his comment I could solve the problem.
来源:https://stackoverflow.com/questions/9149485/does-this-require-windows-delegation-to-be-enabled-for-server-service-account