问题
I apologize in advance for the length of this question, but I wanted to be sure to provide complete information as I have been researching it for weeks.
As a followup to this question on WCF authorization errors, I'm trying to determine how to specify the SPN (or should this be a UPN?) for the service.
My issue is currently that when attempting to contact the service I go through a load balancer. The load balancer alternately sends me to one of two servers, svcserv1 or svcserv2. I have not specified anything beyond the load balancer domain name in my service code, yet when the application connects to one server it is fine and the other always fails authentication.
After turning on Kerberos logging, this is a snippet from svcserv1 (a virtual server) which shows the success. Note that this success is referencing the second server (svcserv2), which is a physical server.
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv2.domain.com
Target Server Info: svcserv2.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
The failure is when communicating with svcserv1 and is as follows:
Logon attempt using explicit credentials:
Logged on user:
User Name: jsweb
Domain: DOMAIN
Logon ID: (0x0,0x6278B2DA)
Logon GUID: {ca6e029d-4073-3f85-5ff5-16514b9acc03}
User whose credentials were used:
Target User Name: jsweb
Target Domain:
Target Logon GUID: -
Target Server Name: svcserv1.domain.com
Target Server Info: svcserv1.domain.com
Caller Process ID: 6680
Source Network Address: -
Source Port: -
Logon Failure:
Reason: An error occurred during logon
User Name: jsweb
Domain:
Logon Type: 3
Logon Process: ˜]
Authentication Package: NTLM
Workstation Name: SVCSERV1
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.36.80
Source Port: 56078
The 'Logon Failure' response appears in the event viewer from user 'NT AUTHORITY\SYSTEM' so I'm assuming this is who the service is running as. The jsweb
id (above) is set up in the web.config as the impersonating identity: <identity impersonate="true" userName="DOMAIN\jsweb" password="password"/>
For this reason it seems to me that it should be generating an SPN (host/hostname) but in the case of a clustered environment it makes more sense that a UPN (username@domainName) should be generated. Sorry if I can't be more specific here. Is there a way for me to see which is being expected/transmitted? This article states that "If you set the SPN or UPN equal to an empty string, a number of different things happen, depending on the security level and authentication mode being used. If you are using transport level security, NT LanMan (NTLM) authentication is chosen." Since I am using
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
and, apparently?, the SPN is blank, then it is defaulting to NTLM. This can be seen in the failure output above next to 'Authentication Package'.
Further referencing MSDN indicates that "When you use NT LanMan (NTLM) for authentication, the service identity is not checked because, under NTLM, the client is unable to authenticate the server." So this explains the issue, but I have not been able to determine the solution. I have not specified the <identity>
for the endpoint but have tried to use the clustered domain name ...
<endpoint>
<identity>
<dns value="svcserv"/>
</identity>
</endpoint>
...but this has not worked.
I did find this disappointing Microsoft knowledgebase article titled, 'Authentication delegation through Kerberos does not work in load-balanced architectures' but I have to believe that it is possible since the use of a load balancer is not unusual. Perhaps I am chasing my own tail since in 'Setting up Kerberos Authentication against the cluster name Service Principal Name' (specifically Phase 3: Administration of Client) it is stated that "There are really no special steps to be performed at the client. The client computer has to use the SPN registered on the domain user account" so am I at the mercy of the server admin team?
Thanks for any help and feel free to ask for clarification.
来源:https://stackoverflow.com/questions/7422194/wcf-identity-definition-in-clustered-environment