WCF Nightmare

I have been having fun with WCF.  I have been trying to switch off anonymous authentication using WSHttpBinding. Then I found this post.  It explains that WSHttpBinding over HTTP requires anonymous authentication to be enabled.  I had accidentally set this up in an environment that I did make work.

Kerberos Success Story

I have finally worked out how to get Kerberos to work in an application that uses:

  • SharePoint 2007
  • WCF
  • SQL Server 2005
The Microsoft implementation of Kerberos seems to have been thrown together as an afterthought.
The key tool is setspn and that is an optional download which is gui-only and has no protection for the user.
The documentation is generally unclear and there is a lot of erroneous information out there. Some of the functionality required is only visible to some of the domian admins – so that if you don’t have this right then you have no way of knowing what to ask for.

Kerberos is what you need to use to solve the “two hop problem”.  This happens when a service that is called by a client needs to impersonate the client to another service.  NTLM will simply fail to authenticate and the call is made as the annonymous user.

The process of getting Kerberos to work is actually quite simple once you understand a few details.
The concept is that you must have a chain of trust running from the server all the way back to the client.

The client needs to be using Kerberos.
The server needs to be using Kerberos.
The identity of the process running on the server needs to be trusted for delegation if it wants to call another server.
You need to set up a SPN for the called server.