Please, can somebody help me to solve the problem with a WCF, Load Ballancing using ARR and multihop Delegation?
I need to achieve:
- WCF client calls service on server1 (SVC1) via Application Request Routing (ARR) and Delegates Kerberos identity of the client, then server1 (SVC1) calls service2 (SVC2) on server2 via ARR and delegates identity of the client,
- Use wsHttpBinding, Message security mode,
- Setting for WCF delegation (1 roundtrip, 2 requests in total for each WCF call) (I mean setting - establishSecurityContext = "false" and negotiateServiceCredential = "true"),
- Setting ARR Load Ballance Weighted round robin algorithm (or any, which will evenly distribute requests)
- Setting the Client Affinity on ARR (or not, if the negotiation roundtrip does not need it)
Problem with this configuration is, the negotiation of Kerberos is divided for the two ARR server (I have in farm 2 servers) - call fails. We found out, that the ARR for the first request of Kerb. negotiation always returns to client the cookie for the next server in ARR server farm. When I browse this service-SVC1 using Internet Explorer, ARR directs a request to the same server in the ARR farm as in the first browse. After close / open IE and browse service, LB alogorithm is applied and ARR routes request on next server in the farm - works OK.
Thanks for help.
Rasto
Configuration: Client - call Server1SVC1 - SVC1 call Server2SVC2
ClientConfiguration<bindings><wsHttpBinding><binding name="WSHttpBinding_IService2A" allowCookies="true"><reliableSession enabled="false" /><security mode="Message"><message clientCredentialType="Windows" establishSecurityContext="false" negotiateServiceCredential="true" /></security></binding></wsHttpBinding></bindings><behaviors><endpointBehaviors><behavior name="B1"><clientCredentials ><windows allowNtlm="false" allowedImpersonationLevel="Delegation" /></clientCredentials></behavior></endpointBehaviors></behaviors><client><endpoint name="WSHttpBinding_IService2A" address="http://arr1.test.domain.com/arrtestservice2a/service2a.svc" binding="wsHttpBinding" behaviorConfiguration="B1" bindingConfiguration="WSHttpBinding_IService2A" contract="Service2A.IService2A"><identity><servicePrincipalName value="acmeservice/testdomain" /></identity></endpoint></client>
Server1SVC1Configuration <bindings><wsHttpBinding><binding name="WSHttpBinding_IService2A" allowCookies="true"><reliableSession enabled="false" /><security mode="Message"><message
clientCredentialType="Windows"
establishSecurityContext="false"
negotiateServiceCredential="true" /></security></binding></wsHttpBinding></bindings><behaviors><endpointBehaviors><behavior name="B1"><clientCredentials ><windows allowNtlm="false" allowedImpersonationLevel="Delegation" /></clientCredentials></behavior></endpointBehaviors></behaviors><client><endpoint name="WSHttpBinding_IService2A"
address="http://arr1.test.domain.com/arrtestservice2a/service2a.svc"
binding="wsHttpBinding"
behaviorConfiguration="B1"
bindingConfiguration="WSHttpBinding_IService2A"
contract="Service2A.IService2A"><identity><servicePrincipalName value="acmeservice/testdomain" /></identity></endpoint></client></service></services>Server2SVC2Configuration
<system.serviceModel><behaviors><serviceBehaviors><behavior><serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="true" /><serviceAuthorization impersonateCallerForAllOperations="true" /></behavior></serviceBehaviors></behaviors><bindings><wsHttpBinding><binding name="WSHttpBinding_IService2X" ><reliableSession enabled="false" /><security mode="Message"><message clientCredentialType="Windows" establishSecurityContext="false" negotiateServiceCredential="true" /></security></binding></wsHttpBinding></bindings><services><service name="ARRTestService2B.Service2B"><endpoint address="" listenUri="" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService2X" contract="ARRTestService2B.IService2B"><identity><servicePrincipalName value="acmeservice/testdomain" /></identity></endpoint></service></services>