Identity check failure when using kerberos message security
Hello.
I’m getting
an identity check failure exception when using kerberos message security to
communicate with a self-hosted service.
I’m using
the WSHttpBinding binding with the following parameters:
- client credentials set to Windows
- negotiate service credential set to false
- establish security context set to false
The clientcredentials have the "AllowNtlm" property set
to false.
The channelto the service is created with a EndpointAddress containing a
UpnEndpointIdentityconstructed with “<user>@<domain>”
Apparently
the security token (a kerberos service ticket in this case) is created, however
its claims are not compatible with the identity of the service EndpointAddres
and I cannot figure out why!
Any help isappreciated.
Thanks.
Pedro Felix
PS. I’musing the July CTP.
Thanks for your quick reply.
1) Both the client and the service are on the same machine.
2) The exception message is:
Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.microsoft.com/ws/2005/05/identity/right/possessproperty: http:
//schemas.microsoft.com/ws/2005/05/identity/claims/upn)' for the 'http://...:8080/si/service/ep' tar
get endpoint.
Thanks!
Pedro Felix
It may be that the upn is not formatted correcly. If you run svcutil on your service and check out what the config looks like, it should give you the correctly formatted upn in the identity element of the enpoint.
Also, it looks like you're trying to do a one-shot kerberos call (ie. one message including all necessary data sent in a single msg) by setting negotiateServiceCredential = false. This is not doable when using a UPN. You must have a registered SPN to do the one-shot. You can test this by running your service as the System account. You can run AT <time> /interactive cmd.exe to open up a command prompt running as System. From there you can run your service. Then change your upn to <servicePrincipalName value= "HOST/<machinename>.
Let me know if that works out for you.
Thanks!
Scott
Hello
Running the host in the System account and using a SPN instead of a UPN works correctly.
However, I don't understand why "one-shot" kerberos is not possible using UPN. Could you tell me why or point me to some resources explaining this. I'm rather familiar with the Kerberos protocol.
Thanks for your help!
Pedro Felix
