Not passing Credentials to WCF Service resulting in a 401

Question

I'm tearing my hair out on this one, I have a WCF service that I can call through the browser and it works fine, when I call it from the web application with the below method I get a (401) Unauthorized error. And the service does not get called. What's more, when I run my web application from my local machine (debug mode using IIS Express) pointed at my dev server (IIS7) it works but when I deploy my web application to the dev server and point it to the dev server services it fails wit the 401 error. I think this is something to do with IIS7 but I'm not 100% sure and help would be super useful.

I have looked online for the answers but thus far the best I have found is this.

My service call is as follows:

var request = (HttpWebRequest) WebRequest.Create(url);
request.Method = "GET";
request.ContentType = "application/json; charset=utf-8";
request.AuthenticationLevel = AuthenticationLevel.MutualAuthRequested;
request.Credentials = CredentialCache.DefaultCredentials;

WebResponse responce = request.GetResponse();
Stream reader = responce.GetResponseStream();

var sReader = new StreamReader(reader);
string outResult = sReader.ReadToEnd();
sReader.Close();

var result = (T) JsonConvert.DeserializeObject(outResult, typeof (T));
return result;

My configuration for the service looks like this :

  <service name="RGMPServices.Householding.Services.AccountService" behaviorConfiguration="Default">
    <endpoint address="" kind="webHttpEndpoint" endpointConfiguration="SecuredHttpEndpointBinding" contract="RGMPServices.Householding.Contracts.IAccountService" />
  </service>

  <service name="RGMPServices.Householding.Services.HouseholdService" behaviorConfiguration="Default">
    <endpoint address="" kind="webHttpEndpoint" endpointConfiguration="SecuredHttpEndpointBinding" contract="RGMPServices.Householding.Contracts.IHouseholdService" />
  </service>

  <service name="RGMPServices.Householding.Services.UserService" behaviorConfiguration="Default">
    <endpoint address="" kind="webHttpEndpoint" endpointConfiguration="SecuredHttpEndpointBinding" contract="RGMPServices.Householding.Contracts.IUserService" />
  </service>
</services>

<behaviors>
  <endpointBehaviors>
    <behavior name="webBehaviour">
      <webHttp />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="Default">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<standardEndpoints>
  <webHttpEndpoint>
    <standardEndpoint name="SecuredHttpEndpointBinding" helpEnabled="true" automaticFormatSelectionEnabled="true">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </standardEndpoint>
  </webHttpEndpoint>
</standardEndpoints>

---

I have put some logging on the client service call, just before I call the service, the response is:

DEBUG 2013-10-01 13:15:13,569 452ms ServiceGetSingle - Passing Login: MYLANDOMAIN\MYLANUSERNAME

ERROR 2013-10-01 13:15:13,631 514ms ServiceGetSingle - ERROR Calling ServiceGetSingle with user credentials login: MYLANDOMAIN\MYLANUSERNAME System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Householding.Common.ServiceHelper.ServiceGetSingle[T](String url)

The code looks like:

logger.Debug("Passing Login: "
    + System.Security.Principal.WindowsIdentity.GetCurrent().Name)

---

Even when I set the AppPool for my website to my domain account it is still not authorising me to access the WCF Service, but again: it's working for the browser. So weird!

Answer 1

It seems likely you're a victim of the double-hop issue when using Integrated Windows Authentication (IWA) and Kerberos. The first hop is from your browser to the web application; the second hop is from your web application to the WCF service.

Here are some resources that explain the issue more fully, and may offer a solution:

• IIS, Windows Authentication and the Double Hop issue
• Using Integrated Windows Authentication (IWA) in a Distributed Application Architecture
• Understanding Kerberos Double Hop

You can configure Active Directory to support Kerberos delegation (usually the infrastructure guys don't like this), or you could turn off impersonation and use a "service" account for the web application and IIS app pool that can authenticate with the WCF service on behalf of the end user.