How does WCF work with Kerberos?

Question

I am using WCF(Windows Service Self Host) netTCP between a service and a cliant. This is how the custom binding looks like

<binding name="netTcpWindowMessageSecurity" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="1000" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="200" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false" />
          <security mode="Message">
            <message clientCredentialType="Windows" />
          </security>
        </binding>

The only thing I really do is to map the current(loggedin) Windows user(on the client) to the users in my service.

I understand that the communication will be encrypted between service and client BUT will Kerberos be used? How do I know? What decides if it is used?

Edit :

I can see this in my Evenlog > Security

Logon Type:         5

Impersonation Level:        Impersonation

New Logon:
    Security ID:        SYSTEM
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3E7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x310
    Process Name:       C:\Windows\System32\services.exe

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

First, inactivityTimeout="infinite" does NOT do what you think it does. Second, no your data is not being encrypted and i'm not sure why you think it is. Third, Kerberos is not involved at all, as your security log shows, it's using NTLM (Lan Manager) authentication. — Erik Funkenbusch, Feb 04 '15 at 16:53
@ErikFunkenbusch from what I read the inactivityTimout are how long a connection van be inactive until it is dropped? I do however have a keepAlive. From what I can see the securoty is turned on at the transport layer and the credentials that will be used are Windows. From what I read this means that the data will be encrypted? Can you pleas point me where this is explained the way you sugests? — Banshee, Feb 05 '15 at 07:40
@ErikFunkenbusch becides there is nothing that says that the NTLM is used, there is a Package Name but it states NTLM only and there is no information? — Banshee, Feb 05 '15 at 07:40
I can't point you to something that doesn't exist. Security is related to authentication, not encryption of your data. I can't point you to something that says it's NOT something that would be illogical to assume, because nobody would write documentation that says that. Rather, what documentation do you have that suggests this encrypts your data? And no, inactivityTimeout is much more complex than you think it is... See http://stackoverflow.com/questions/26732515/keepalive-with-wcf-and-tcp/26739739#26739739 — Erik Funkenbusch, Feb 05 '15 at 15:07
Sorry, you are correct, how could I forget that answer! Was about to remove the ping function but never got the time. — Banshee, Feb 05 '15 at 18:16
I have read a couple of articles now and its not really clear what commonication that will be protected? It states that Transport and Windows is a security setting. How should I set it to encryt all data and use Kerberos? From what I have found I need to set the secutiry mode to Transport and then set the protectionLevel to EncryptAndSign, this will encryt data according to this article : http://www.codeproject.com/Articles/314327/Implement-windows-authentication-and-security-in-W is that correct? ClientCredentialType would be set to Windows as before. — Banshee, Feb 05 '15 at 18:21
That's if you're using standard netTcp binding. You said you were using a custom binding. — Erik Funkenbusch, Feb 05 '15 at 20:52
@ErikFunkenbusch, Aha, the netTCPBinding Im using is the one in my post, I call it custom becouse I change some values from the default. But its really a reglar netTcpBinding. So If I make the changes I wrote about in my last post, would all the data be encrypted with Kerberos without any more work? — Banshee, Feb 06 '15 at 09:52
In that case, yes, if you specify EncryptAndSign then transport security will kick in. But you must do it on both sides. and both sides must be using a domain account. Kerberos, however, is a different story.. Kerberos is not used for encryption, it's used for authentication. This might help http://blogs.msdn.com/b/tiche/archive/2011/07/13/wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx — Erik Funkenbusch, Feb 06 '15 at 18:55

score 0 · Accepted Answer · answered Mar 23 '15 at 13:47

By following Erik Funkenbusch recomendation I got the communication to be secured. This is what I hade to change

<security mode="Transport">
            <transport protectionLevel="EncryptAndSign" clientCredentialType="Windows"></transport>
          </security>

How does WCF work with Kerberos?

1 Answers1