0

I have WCF service, that checks if directory exists with Directory.Exists method (this directory is locate on network server). After that it does some random stuff. This service uses clients impersonation. I've tested it and with WindowsIdentity.GetCurrent().Name it shows the right user name. My client application is simple console application.

So my problem is, that when I call the service that runs on Computer A from computer A, using Credentials A, it works. If I call it from Computer B with credentials A or B (or any other for that matter), it doesn't work anymore. Directory.Exits returns false. But both, user A and B have all the permissions to access/modify this directory.

Please note that directory is locate on computer C. For debugging reasons I return the current user identity name and it's always the one that it should be. Obviously this credentials for Directory.Exits are not passed on as they should be if client application is located on the same computer as service is.

Any help or idea is most welcomed.

MaticDiba
  • 895
  • 1
  • 11
  • 19

2 Answers2

1

Your expectation that credentials should be passed over second "hop" is wrong - server can't pass impersonation to yet another server using regular Windows authentication.

Why you see A->A->C working - your credentials are not leaving box where you originally signed in (A) and still have one "hop" to C to check file system there.

A->B->C case does not work because "hop" is used up for impersonation on B during A->B part and hence for B-> C your credentials no longer can be used.

Common fixes:

Further reading - search for "NTML one-hop" or "double-hop authentication in Windows" to find articles like http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

Community
  • 1
  • 1
Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
0

Then you can follow this (it's probably a Kerberos issue):

http://blogs.msdn.com/b/distributedworld/archive/2012/04/24/troubleshoot-kerberos-in-wcf.aspx

It's maybe a little bit old, but I remember having the same issue in the past.

David C
  • 678
  • 6
  • 11