WCF and Kerberos

[Rob Vettor]

Have question concerning WCF and Kerberos Security.

We are on-site for a large customer architecting a service-based solution
that will implement WCF.

The customer is a large hotel chain that desires a back-office solution that
can run in stand-alone mode at each hotel property. These properties
normally connect to a centralized data center, which houses the Active
Directory servers, but 100% connectivity cannot be guaranteed.

We are considering proposing a SmartClient solution with a local database
and application server (for services) at each property. We would like to
implement our service layer using WCF with WSHttpBinding with a
clientCredentialType of "Windows" so that we can leverage Kerberos security.

Question: When a hotel is not connected to the centralized data center, can
we depend on the credential caches in the local clients and servers to
support Kerberos authentication for our services?

 

[Chris Mullins [MVP - C#]]

Adding in a Global Catalog Server to each remote location may well be your
best bet. I know that's the route we've gone - each remote site has it's own
Global Catalog Server so that auth can take place locally, even if the
network link goes down. We maintain a hardware VPN tunnel (in a hub-spoke
model) between all the remote sites and our main location.

I don't think you can do Kerberos unless you can hit a KDC (which for us is
typically also a Global Catalog Server). You could fallback from Kerberos to
do NTLM in many cases, but that's nowhere near as secure as the Kerberos
mechanism. If you're talking about credential caching, I believe you're
automatically talking about NTLM authentication.

The "real' answer looks like it's found at:
http://support.microsoft.com/kb/216970

"If a GC server cannot be located by the domain controller during this
process:" ... "If cached credentials exist for the user on the local
computer, the user is logged on with those credentials. Access to network
resources must be validated on an individual basis. If the client uses
Kerberos to use a server's resources, the KDC must be contacted to get a
ticket for the server, or if NTLM is used, pass-through authentication is
required."

With that said, the security infrastructure around AD is not my specialty. I
know just enough to be dangerous, and not enough to be considered an
authorative source...

Warning: Technobabbel ahead. Accuracy not guaranteed. I'm not an expert, but
I play one on the Internet

As a quick aside, I don't beleive just putting "Windows" as the model in
wsHttpBinding is not enough to insure Kerberos authentication. This will use
the "Negotiate" mechanism of SSPI. In most circumstances this will try
Kerberos first, and if that fails, will fall back to NTLM auth. The exact
order of what happens, and what protocols are used is going to depend on how
your Active Directory is configured. There is tons of material on this
available on the Web. Look up keywords around SSPI, Negotiate, Kerberos,
Active Directory, WCF, and NTLM.