Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > WCF and Kerberos

Reply
Thread Tools

WCF and Kerberos

 
 
Rob Vettor
Guest
Posts: n/a
 
      11-13-2007
Have question concerning WCF and Kerberos Security.

We are on-site for a large customer architecting a service-based solution
that will implement WCF.

The customer is a large hotel chain that desires a back-office solution that
can run in stand-alone mode at each hotel property. These properties
normally connect to a centralized data center, which houses the Active
Directory servers, but 100% connectivity cannot be guaranteed.

We are considering proposing a SmartClient solution with a local database
and application server (for services) at each property. We would like to
implement our service layer using WCF with WSHttpBinding with a
clientCredentialType of "Windows" so that we can leverage Kerberos security.

Question: When a hotel is not connected to the centralized data center, can
we depend on the credential caches in the local clients and servers to
support Kerberos authentication for our services?

 
Reply With Quote
 
 
 
 
Chris Mullins [MVP - C#]
Guest
Posts: n/a
 
      11-13-2007
Adding in a Global Catalog Server to each remote location may well be your
best bet. I know that's the route we've gone - each remote site has it's own
Global Catalog Server so that auth can take place locally, even if the
network link goes down. We maintain a hardware VPN tunnel (in a hub-spoke
model) between all the remote sites and our main location.

I don't think you can do Kerberos unless you can hit a KDC (which for us is
typically also a Global Catalog Server). You could fallback from Kerberos to
do NTLM in many cases, but that's nowhere near as secure as the Kerberos
mechanism. If you're talking about credential caching, I believe you're
automatically talking about NTLM authentication.

The "real' answer looks like it's found at:
http://support.microsoft.com/kb/216970

"If a GC server cannot be located by the domain controller during this
process:" ... "If cached credentials exist for the user on the local
computer, the user is logged on with those credentials. Access to network
resources must be validated on an individual basis. If the client uses
Kerberos to use a server's resources, the KDC must be contacted to get a
ticket for the server, or if NTLM is used, pass-through authentication is
required."

With that said, the security infrastructure around AD is not my specialty. I
know just enough to be dangerous, and not enough to be considered an
authorative source...

Warning: Technobabbel ahead. Accuracy not guaranteed. I'm not an expert, but
I play one on the Internet

As a quick aside, I don't beleive just putting "Windows" as the model in
wsHttpBinding is not enough to insure Kerberos authentication. This will use
the "Negotiate" mechanism of SSPI. In most circumstances this will try
Kerberos first, and if that fails, will fall back to NTLM auth. The exact
order of what happens, and what protocols are used is going to depend on how
your Active Directory is configured. There is tons of material on this
available on the Web. Look up keywords around SSPI, Negotiate, Kerberos,
Active Directory, WCF, and NTLM.

--
Chris Mullins

"Rob Vettor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Have question concerning WCF and Kerberos Security.
>
> We are on-site for a large customer architecting a service-based solution
> that will implement WCF.
>
> The customer is a large hotel chain that desires a back-office solution
> that
> can run in stand-alone mode at each hotel property. These properties
> normally connect to a centralized data center, which houses the Active
> Directory servers, but 100% connectivity cannot be guaranteed.
>
> We are considering proposing a SmartClient solution with a local database
> and application server (for services) at each property. We would like to
> implement our service layer using WCF with WSHttpBinding with a
> clientCredentialType of "Windows" so that we can leverage Kerberos
> security.
>
> Question: When a hotel is not connected to the centralized data center,
> can
> we depend on the credential caches in the local clients and servers to
> support Kerberos authentication for our services?
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
S4U Kerberos for calling WCF services Alhambra Eidos Kiquenet ASP .Net Security 4 06-30-2010 12:29 PM
Difference between Ajax Enabled WCF service and regular WCF? Cindy Lee ASP .Net 1 03-19-2010 05:59 PM
AJAX enabled WCF Service Vs Standard WCF Service Simon ASP .Net 0 10-13-2009 09:13 AM
Kerberos Decrypted - Interesting URLs on how kerberos work ii.unforgiven@gmail.com Computer Security 1 07-04-2006 07:37 AM
Secure ACS, kerberos and SecurID BarBaar Cisco 0 09-10-2004 02:11 PM



Advertisments