JDPeckham

Hosted in IIS right now, directory security is set to anonymous and everything else is unchecked. My service methods all have impersonate.required attributes and principlePermission(securityaction.required,role="mydomain\domain users") on them.

however, i keep getting security exception and it faults out. here is my web.config servicemodel info.

<system.serviceModel>

<bindings>

<wsHttpBinding>

<binding name="wsHttpBindingConfig">

<security mode="Message">

<transport clientCredentialType="Windows" proxyCredentialType="Windows" />

</security>

</binding>

</wsHttpBinding>

</bindings>

<behaviors>

<serviceBehaviors>

<behavior name="MetaDataBehavior">

<serviceMetadata httpGetEnabled="true" />

<serviceDebug includeExceptionDetailInFaults="true" />

<serviceAuthorization impersonateCallerForAllOperations="true" />

</behavior>

</serviceBehaviors>

</behaviors>

<services>

<service behaviorConfiguration="MetaDataBehavior" name="SRG.Services.StarSearcher.ServiceImplementation.ServiceImplementation">

<endpoint address="http://srco1514/services/starsearcher/starsearcher.svc"

binding="wsHttpBinding" bindingConfiguration="wsHttpBindingConfig"

name="wsHttpStarSearcher" contract="SRG.Services.StarSearcher.ServiceContracts.IStarSearcherService" />

<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

</service>

</services>

</system.serviceModel>

</configuration>

i generated a service reference using vs2005 extensions and heres the code i'm executing against the service.

StarSearcherServiceClient service = new StarSearcherServiceClient();

Console.WriteLine("Logging in for {0} enter to continue", service.ClientCredentials.UserName.UserName);

Console.ReadKey();

GetCodesByTypeRequest request = new GetCodesByTypeRequest();

request.CodeType = "SK";

request.OfficeCode = 123456789;

GetCodesByTypeResponse response = service.GetCodesByType(request);

it always has a blank user name in the out put and never seems to pickup my domain user account as the principle. I'm running the client as a console application under my user account.




Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

Todd West

Can you share the service side exception as well as the fault the client gets Please include complete information, including the stack.

In the meantime, to clarify, wsHttpBinding/security@mode=Message means the contents of wsHttpBinding/security/transport are ignored. You want wsHttpBinding/security/message. What you're specifying in <transport> is the default for <message> so it doesn't matter in this particular case.

Windows credentials are specified on ChannelFactory.ClientCredentials.Windows. Not UserName. If no Windows credentials are specified the current thread identity when GetCodesByType() is called is used as the client identity.





Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

ok i changed the code in the client to:

try

{

ServiceClient service = new ServiceClient("bindingName");

service.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("jpeckham", "pwd", "domain");

//I ALSO tried service.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials; which didn't work either

Console.WriteLine("Logging in for {0} enter to continue", service.ClientCredentials.Windows.ClientCredential.UserName);

Console.ReadKey();

Code[] CodesMissing;

Code[] CodesToWork;

service.GetCodesByType("AA", 123456789, out CodesMissing,

out CodesToWork);

.....

Logging in for jpeckham enter to continue
System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message
reply, MessageFault fault, String action, MessageVersion version, FaultConverte
r faultConverter)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRunt

ime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean on
eway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan tim
eout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean on
eway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCall
Message methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage req
Msg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgDa
ta, Int32 type)
at SRG.Services.StarSearcher.ConsoleClient.localhost.IStarSearcherService.Get
CodesByType(GetCodesByTypeRequest request)
at SRG.Services.StarSearcher.ConsoleClient.localhost.StarSearcherServiceClien
t.SRG.Services.StarSearcher.ConsoleClient.localhost.IStarSearcherService.GetCode
sByType(GetCodesByTypeRequest request) in C:\projects\SRG.Services.StarSearcher
WCF\Testing\SRG.Services.StarSearcher.ConsoleClient\Service References\localhost
.cs:line 1695
at SRG.Services.StarSearcher.ConsoleClient.localhost.StarSearcherServiceClien
t.GetCodesByType(String CodeType, UInt32 OfficeCode, StarSearcherCode[]& MasterC
odesThatAreMissingInWorld, StarSearcherCode[]& UnconsolidatedCodes) in C:\projec
ts\SRG.Services.StarSearcher WCF\Testing\SRG.Services.StarSearcher.ConsoleClient
\Service References\localhost.cs:line 1703
at SRG.Services.StarSearcher.ConsoleClient.Program.Main(String[] args) in C:\
projects\SRG.Services.StarSearcher WCF\Testing\SRG.Services.StarSearcher.Console
Client\Program.cs:line 24

Pretty standard permission attribute failure, not much to see there it just fails to get access because it's not seeing it as me. So it IS impersonating something but it's not impersonating the credentials i'm sending it is the problem.






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

 

i ran the web service factory to create a new service that works 100% when i self host it but when i host it in IIS and try to impersonate the client (which is a windows client that should be me), it won't work. here's all of the pertinent code and exceptions:

 

 

try

{

PayBillServiceClient proxy = new PayBillServiceClient();

proxy.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

string result = proxy.GetFolderNameByOfficeCode(SearchText.Text);

MessageBox.Show(result);

}

catch (Exception error)

{

MessageBox.Show(error.ToString());

System.Diagnostics.Debug.WriteLine(error.ToString());

}

 

//the service

[OperationBehavior(Impersonation=ImpersonationOption.Required)]

[PrincipalPermission(SecurityAction.Demand,Name="domain\\jpeckham")]

public GetFolderNameByOfficeCodeResponse GetFolderNameByOfficeCode(GetFolderNameByOfficeCodeRequest request)

{

GetFolderNameByOfficeCodeLogic bll = new GetFolderNameByOfficeCodeLogic();

string result = bll.GetFolderNameByOfficeCode(request.OfficeCode);

GetFolderNameByOfficeCodeResponse response = new GetFolderNameByOfficeCodeResponse();

response.FolderName = result;

return response;

}

//the client main function where i specify windows principal and output the identity to debug.

[STAThread]

static void Main()

{

AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);

System.Security.Principal.WindowsIdentity ident =

(System.Security.Principal.WindowsIdentity)System.Threading.Thread.CurrentPrincipal.Identity;

System.Diagnostics.Debug.WriteLine(string.Format("RUNNING AS: {0}", ident.Name));

Application.EnableVisualStyles();

Application.Run(new MainForm());

}

//heres the debug output

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualStudio.HostingProcess.Utilities\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.HostingProcess.Utilities.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualStudio.HostingProcess.Utilities.Sync\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.HostingProcess.Utilities.Sync.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\projects\PayBillCommon\Tests\Srg.Services.PayBill.Client\bin\Debug\Srg.Services.PayBill.Client.vshost.exe', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

The thread 0xdb8 has exited with code 0 (0x0).

The thread 0x958 has exited with code 0 (0x0).

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\projects\PayBillCommon\Tests\Srg.Services.PayBill.Client\bin\Debug\Srg.Services.PayBill.Client.exe', Symbols loaded.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

RUNNING AS: SRG\jpeckham

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMDiagnostics.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

'Srg.Services.PayBill.Client.vshost.exe' (Managed): Loaded 'C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll', Skipped loading symbols. Module is optimized and the debugger option 'Just My Code' is enabled.

A first chance exception of type 'System.ServiceModel.FaultException`1' occurred in mscorlib.dll

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:

System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception. ----> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception. ----> System.TypeInitializationException: The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception. ----> System.Security.SecurityException: Requested registry access is not allowed.

at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)

at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)

at Microsoft.Win32.RegistryKey.OpenSubKey(String name)

at System.Diagnostics.PerformanceCounterLib.FindCustomCategory(String category, PerformanceCounterCategoryType& categoryType)

at System.Diagnostics.PerformanceCounterLib.IsCustomCategory(String category)

at System.Diagnostics.PerformanceC...).

 






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

i thought maybe it was remote registry issue, remote registry is enabled on the target database machine, so i mapped a drive... now i get a new exception (keep in mind this is all happening even though i'm operating as a domain administrator account):

System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:

System.IO.FileLoadException:

at Srg.Services.PayBill.ServiceImplementation.PayBillService.GetFolderNameByOfficeCode(GetFolderNameByOfficeCodeRequest request)

at SyncInvokeGetFolderNameByOfficeCode(Object , Object[] , Object[] )

at System.ServiceModel.Dispatcher.InvokeDelegate.Invoke(Object target, Object[] inputs, Object[] outputs)

at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)

at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)

at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)

at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)

at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3(MessageRpc& rpc)

at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRp...).






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

so what kind of registry access do i need to give my users to be able to run SqlConnection through a WCF service while being impersonated (or to my client processes if i decide not to impersonate the domain users directly) And what machine do they need to have registry access to the webservice server the data backend the client machine the client host(if web app) And why is it denying my authenticated domain administrator account access to the registry anyhow






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

Todd West

This sniffs like problems with identification level impersonation. Have you tried ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation



Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

Genius!

i had tried

proxy.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

that didn't work but yes...

proxy.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

this does work. Thank you!






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

just out of curiosity, why would it allow me to get past the principal permission attribute if it wasn't impersonating properly




Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

Todd West

The impersonation level is a measure of the extent to which the target identity is attained. It doesn't affect which identity is impersonated. Given two threads, both impersonating the same principal, the thread impersonating at impersonation level will have rights to do things the thread impersonating at identification level will not.



Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

i'm having problems with this again with a self hosted app... hosting it in a windows service and now i'm running a tcp endpoint. This time it gets all the way to creating a sql connection and says login failed for NT AUTHORITY\Anonymous user... which is strange since it got past my PrinciplePermission attributes again... so it neither has the identity nor the impersonation token right

 

i'm really confused now, and unfortunately the trace messages don't tell me anything since it's all encrypted (which is good i suppose until you're trying to figure smething like this out)






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

Todd West

Discussing offline with JD.  With respect to message tracing, these two knobs control where in the processing pipeline messages are traced.  Service level tracing occurs before security is applied on senders and after decryption and signature checks have been done on receivers.  Transport level tracing logs what's goes on or is pulled off the wire.

         <system.serviceModel>
                 <diagnostics>
                         <messageLogging logMessagesAtServiceLevel="true" 
                                                           logMessagesAtTransportLevel="true" />
                 </diagnostics>
         </system.serviceModel>





Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

JDPeckham

Todd got me straightened out, basically since i was using cached token impersonation and my sql server is on a different server than the service host i needed to be setting my ImpersonationLevel on the client to Delegation.

(this requires that the account that will be running the service host process be marked as "trusted for delegation" in Active Directory)

One thing we couldn't figure out (or at least i didn't) exactly was how the IIS hosted service WAS in fact able to delegate over to my sql server and to a UNC path that was restricted to domain accounts even though the worker process account had no permission to delegate.(it was running as <machinename>\USR_<machineName> or whatever the default IIS anonymous account is named in iis 5.1(xp pro))






Re: Windows Communication Foundation (Indigo) tried making a new service with 1 method that simply calls and gets a string from the sql database

Todd West

Last I heard it was because the SQL server and IIS hosted WCF service were on the same machine. If not, ping me offline and we can investigate further.