WCF Interoperability Kerberos SPNego Enabled Web Service
We have a test Windows Server 2012 Domain. There are two computers which
are members of this Domain.
One computer is being developed by the Oracle Corporation and is running a
version of Linux on a Virtual Machine. This machine is hosting a SPNego
Kerberos authenticated Web Service presumably hosted by IBM WebSphere.
The other computer is a Windows XP Client hosted on a Microsoft Virtual
Machine.
We created the SPN's inside of Active Directory to authenticate users
using Kerberos.
We then tested the Web Service using a browser. The WSDL address brought
back the SOAP data perfectly.
However, when trying to create a Client Proxy of The Web Service to use
inside a WCF 4.5 project, there's all kinds of Security related errors
being raised:
The remote HTTP server did not satisfy the mutual authentication requirement.
The remote server returned an error: (405) Method Not Allowed.
Below, is the client-side App.config file used to connect to the Web Service:
<configuration>
<system.serviceModel>
<client>
<endpoint address="http://oag:8080/pos/GetStoreConfigurationService"
binding="wsFederationHttpBinding"
bindingConfiguration="wsFederationHttpBinding_ESLGetStoreConfigurationBinding"
behaviorConfiguration="ServiceBehavior"
contract="ESLGetStoreConfigurationPortType"
name="wsFederationHttpBinding_ESLGetStoreConfigurationPort"
>
<identity>
<servicePrincipalName value="http/oag:8080"/>
</identity>
</endpoint>
</client>
<bindings>
<customBinding>
<binding name="UsernameBinding">
<binaryMessageEncoding />
<security authenticationMode="Kerberos"
requireSecurityContextCancellation ="false"
requireSignatureConfirmation="false"
messageProtectionOrder ="EncryptBeforeSign"
requireDerivedKeys="false"
enableUnsecuredResponse="true"
allowInsecureTransport="true"
securityHeaderLayout="Lax" >
</security>
<httpTransport authenticationScheme="Negotiate"
transferMode="Buffered"
maxReceivedMessageSize="67819876"/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding
name="wsFederationHttpBinding_ESLGetStoreConfigurationBinding"
>
<security mode="Message">
<message negotiateServiceCredential="true"
establishSecurityContext="false"
algorithmSuite="Basic128" >
<issuer address="http://192.168.100.25"
bindingConfiguration="UsernameBinding"
binding="customBinding">
<identity>
<dns value="WIN-7TN6ALB4TVK.oag-dev.sei"/>
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Identification"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
<system.web>
<identity impersonate="false" userName="oag-server"
password="Password!"/>
</system.web>
Providing Network Credentials was also done in code; but alas, to no avail.
Thank you.
No comments:
Post a Comment