ssl - Kerberos authentication on a self-hosted WCF Data Service -
we have wcf data service self-hosted under windows service (not using iis) working secure using ssl , windows authentication.
after time playing around netsh , server certificates, have service secured ssl , have enabled windows authentication on webhttpbinding in our app.config - seeing strange behaviour when attempting authenticate users - can log in fine, others have credentials rejected , prompted http 400 errors.
after testing , digging around appear might running this problem, authentication header used kerberos may greater maximum permitted header length (which believe 16k) users - , although there documented workaround iis, there not appear equivalent setting can use self-hosted service, or in our app.config - unless i'm missing something? tried setting maxreceivedmessagesize , maxbuffersize fields maximum values see if make difference, apparently not.
binding config:
<webhttpbinding> <binding name="dataservicesbinding" maxreceivedmessagesize="2147483647" maxbuffersize="2147483647"> <security mode="transport"> <transport clientcredentialtype="windows" /> </security> </binding> </webhttpbinding>
we've managed work around issue temporarily setting clientcredentialtype in our binding use ntlm instead, we'd kerberos working if possible obvious reasons.
so, turns out, caused our service not being configured spn (service principal name). can done using setspn tool windows server. (see this msdn article more information.)
once spn applied, kerberos authentication started work expected.
Comments
Post a Comment