Kerberos Delegation using Csla and WCF NetTCPBinding required change to Csla

Kerberos Delegation using Csla and WCF NetTCPBinding required change to Csla

Old forum URL: forums.lhotka.net/forums/t/7480.aspx

MikeDouglasDev posted on Wednesday, August 19, 2009

Hi,

I am setting up Csla to use the Wcf. I am hosting the Wcf service in a windows service so I can use NetTCPBinding. I also want to use Kerberos delegation to delegate the client's credentials to the database server (2 hops). I successfully got it working but I had to make a change to the methods in the WcfPortal to allow for Impersonation. I had to add this attribute to the 4 methods

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public WcfResponse Create(CreateRequest request)

Before I made the change, I would get this error when the host was trying to Open.

The service operation 'Create' that belongs to the contract with the 'IWcfPortal' name and the 'http://ws.lhotka.net/WcfDataPortal' namespace does not allow impersonation.

I thought I read that the impersonateCallerForAllOperation="true" attribute in the serviceAuthorization behavior element would overrride the methods but it didn't work.


Has anyone been able to get this to work without recompiling Csla?

I also tried subclassing the WcfPortal but I got this error, plus it seems like is more to maintain then simply adding the attributes.

Service 'ImpersonateWcfPortal' has zero application (non-infrastructure) endpoints. This might be because no configuration file was found for your application, or because no service element matching the service name could be found in the configuration file, or because no endpoints were defined in the service element.

Thanks,

Mike

http://www.CodeSmartNotHard.com

MikeDouglasDev replied on Wednesday, August 19, 2009

I figured out the error when I subclassed the WcfPortal class. I forgot to change the service name in the config file.
service name="BO.ImpersonateWcfPortal"

instead of
service name="Csla.Server.Hosts.WcfPortal"

Unless someone else has another idea, I think we are going to do the subclass option. Even though it is more code, it should keep the upgrades easier.

Thanks,
Mike

Copyright (c) Marimer LLC