WCF and Kerberos

Discussion in 'ASP .Net Web Services' started by Rob Vettor, Nov 13, 2007.

  1. Rob Vettor

    Rob Vettor Guest

    Have question concerning WCF and Kerberos Security.

    We are on-site for a large customer architecting a service-based solution
    that will implement WCF.

    The customer is a large hotel chain that desires a back-office solution that
    can run in stand-alone mode at each hotel property. These properties
    normally connect to a centralized data center, which houses the Active
    Directory servers, but 100% connectivity cannot be guaranteed.

    We are considering proposing a SmartClient solution with a local database
    and application server (for services) at each property. We would like to
    implement our service layer using WCF with WSHttpBinding with a
    clientCredentialType of "Windows" so that we can leverage Kerberos security.

    Question: When a hotel is not connected to the centralized data center, can
    we depend on the credential caches in the local clients and servers to
    support Kerberos authentication for our services?
    Rob Vettor, Nov 13, 2007
    #1
    1. Advertising

  2. Adding in a Global Catalog Server to each remote location may well be your
    best bet. I know that's the route we've gone - each remote site has it's own
    Global Catalog Server so that auth can take place locally, even if the
    network link goes down. We maintain a hardware VPN tunnel (in a hub-spoke
    model) between all the remote sites and our main location.

    I don't think you can do Kerberos unless you can hit a KDC (which for us is
    typically also a Global Catalog Server). You could fallback from Kerberos to
    do NTLM in many cases, but that's nowhere near as secure as the Kerberos
    mechanism. If you're talking about credential caching, I believe you're
    automatically talking about NTLM authentication.

    The "real' answer looks like it's found at:
    http://support.microsoft.com/kb/216970

    "If a GC server cannot be located by the domain controller during this
    process:" ... "If cached credentials exist for the user on the local
    computer, the user is logged on with those credentials. Access to network
    resources must be validated on an individual basis. If the client uses
    Kerberos to use a server's resources, the KDC must be contacted to get a
    ticket for the server, or if NTLM is used, pass-through authentication is
    required."

    With that said, the security infrastructure around AD is not my specialty. I
    know just enough to be dangerous, and not enough to be considered an
    authorative source...

    Warning: Technobabbel ahead. Accuracy not guaranteed. I'm not an expert, but
    I play one on the Internet

    As a quick aside, I don't beleive just putting "Windows" as the model in
    wsHttpBinding is not enough to insure Kerberos authentication. This will use
    the "Negotiate" mechanism of SSPI. In most circumstances this will try
    Kerberos first, and if that fails, will fall back to NTLM auth. The exact
    order of what happens, and what protocols are used is going to depend on how
    your Active Directory is configured. There is tons of material on this
    available on the Web. Look up keywords around SSPI, Negotiate, Kerberos,
    Active Directory, WCF, and NTLM.

    --
    Chris Mullins

    "Rob Vettor" <> wrote in message
    news:...
    > Have question concerning WCF and Kerberos Security.
    >
    > We are on-site for a large customer architecting a service-based solution
    > that will implement WCF.
    >
    > The customer is a large hotel chain that desires a back-office solution
    > that
    > can run in stand-alone mode at each hotel property. These properties
    > normally connect to a centralized data center, which houses the Active
    > Directory servers, but 100% connectivity cannot be guaranteed.
    >
    > We are considering proposing a SmartClient solution with a local database
    > and application server (for services) at each property. We would like to
    > implement our service layer using WCF with WSHttpBinding with a
    > clientCredentialType of "Windows" so that we can leverage Kerberos
    > security.
    >
    > Question: When a hotel is not connected to the centralized data center,
    > can
    > we depend on the credential caches in the local clients and servers to
    > support Kerberos authentication for our services?
    >
    Chris Mullins [MVP - C#], Nov 13, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon
    Replies:
    0
    Views:
    996
    Simon
    Oct 13, 2009
  2. Cindy Lee
    Replies:
    1
    Views:
    2,079
    Mr. Arnold
    Mar 19, 2010
  3. Catho
    Replies:
    0
    Views:
    195
    Catho
    Mar 2, 2007
  4. Alhambra Eidos Kiquenet

    S4U Kerberos for calling WCF services

    Alhambra Eidos Kiquenet, Feb 6, 2008, in forum: ASP .Net Security
    Replies:
    4
    Views:
    1,007
    Michel Baladi
    Jun 30, 2010
  5. Jacob
    Replies:
    3
    Views:
    257
    Ray at
    May 24, 2004
Loading...

Share This Page