This package will add a Wcf client interceptor which will injects kerberos ticket for egress requests. This should be used together with the supply buildpack to make it fully functional
- Add the supply buildpack from here in the CF manifest (preferably the latest release).
IMPORTANT: Make sure the application is built/published with target platform
x64
- Follow the readme to setup the sources for kerberos config and keytab files For kerberos config template, please here
- Set the correct client UPN in AppSettings with key
ClientUserPrincipalName
as below (this section will be already added by the package)
<appSettings>
<add key="ClientUserPrincipalName" value="client_username@domain" />
</appSettings>
- Set
ImpersonateClientUser
totrue
if you need to impersonate the svc user with the client user account (this section will be already added by the package, default isfalse
)
<appSettings>
<add key="ImpersonateClientUser" value="false" />
</appSettings>
- Target service UPN has to be provided in the client/endpoint/identity configuration as in the sample below. If not, system will try to use the SPN
host/foo.bar
(based on the below sample)
<system.serviceModel>
<client>
<endpoint address="http://foo.bar/myservice.svc"
binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding"
contract="MyService.IService"
name="BasicHttpBinding_IService"
behaviorConfiguration ="myIwaInterceptorBehavior">
<identity>
<userPrincipalName value="target_user@domain" />
</identity>
</endpoint>
</client>
</system.serviceModel>
- To see debug logs, please set the log level to
Debug
orTrace
, via environment variablePivotalIwaWcfClientInterceptor:LogLevel:Default
- Stable versions are available at www.nuget.org, nuget feed
- The dev/alpha packages are available at www.myget.org, myget feed
- The packages are still in beta version as it still depends on a beta version of GssKerberos package.