Any good Resources for WCF Delegation?

Question

I'm trying to setup WCF Delegation, without success (the scenario is Client > Frontend Server > Backend Server).

In theory, this should be straight forward using Kerberos (I do have a Windows Domain), but in practice I'm running into weird errors with things like SSPI or even basic message security.

I found countless shallow resources, and forum posts where people had problems and were essentially just guessing solutions through trial and error. I looked at the Table of Contents at some so-called "Pro" and "Expert" WCF Books, but Delegation seems to be something no one wants to cover (in fact, there is a typo in one of the Exceptions that .net throws that makes me feel not even Microsoft really bothers with it).

Anyway, is there any resource where someone that actually has a clue and the confidence to explain the whole process A-Z, using a methodological approach with actual explanations and not just meaningless code blocks that don't work and are never explained?

Answer 1

This is more a Kerberos problem than a WCF problem.

The basic idea is that the client makes a request under a security context to the frontend server, then this security context is sent on to the backend server.

This cannot just be fixed in code. The computer that forwards the kerberos token must be trusted to do that. The account that the code is running under must also be trusted to forward the security token.

For general Kerberos: http://support.microsoft.com/kb/907272

This is Kerberos for SharePoint, but there is a lot in common: http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

Answer 2

The WCF code for this is actually fairly straight forward. Getting your service account configured and Kerberos behaving can be quite hard.

The reason why you are having such a hard time finding examples, is because very few people actually do it. The process that does the delegating must be running under an account that is "trusted for delegation" in Active Directory (on the domain controller). This ability is so powerful that many IT departments have an explicit policy against it.

There is a concept of "constrained delegation" that defines which resources can be accessed, but again this is defined in Active Directory and not your code. Before you continue your coding I suggest making sure you have the ability to make the needed changes to Active Directory. Enabling an account for delegation is a battle I lost at more than one company.

For references I suggest:

• WCF Security Guide on Codeplex
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0

Yes both of these references are a little old, but they both apply. All of the constrained delegation steps listed in the "How To" are for Active Directory and not tied to ASP.