Jaga

Hi All,

We are hosting an WCF service in IIS 6.0 (Win 2K3) making use of wsHttpBinding and Message level security.

We have enabled Anonymous access and checked Windows authentication for the same in IIS settings.

The web.config settings for the WCF service is as below :

<bindings>

<wsHttpBinding>

<binding name="CPServiceBindingConfiguration">

<security mode="Message">

<message clientCredentialType="Windows" />

</security>

</binding>

</wsHttpBinding>

</bindings>

This WCF service is consumed by another ASP.NET web application hosted in another machine.

The Anonymous access is disabled and Windows Authentication is used in the ASP.NET web server's IIS settings.

In the ASP.NET web application's web.config we are using <identity impersonate="true"/> to imperosnate the client user.

The ASP.NET web application works perfectly fine and is able to call the WCF service on the other machine without if we open the IE browser on the ASP.NET web server machine itself. However when we try to access the ASP.NET web application from any other client machine's browser (except for the ASP.NET web server machine) the call to the WCF service on the other machine failes with the following error.

The request for security token could not be satisfied because authentication failed.

If we remove <identity impersonate="true"/> in the ASP.NET web server's web.config we are able to access properly without any issues from different client browsers. But we need impersonation in the ASP.NET web server layer.

We also tried running the WCF service hosted in IIS in a different App Pool running under an domain account. But that also did not solve the issue.

Kindly provide me with your inputs in how to solve this issue.

Regards,

Jaga



Re: Windows Communication Foundation (Indigo) WCF hosted in IIS with Windows Authentication

dominick.baier

The problem is that you are trying to delegate the client credentials without having configured delegation.

Do you need to call the back end WCF service using the client credentials

If yes. You need to configure the machine running the asp.net app for delegation, read more here:

http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

If no. You have to disable impersonation for the WCF call. You can do this either on a page basis by using a <location> element in web.config - OR - you do this:

using (WindowsIdentity.Impersonate(IntPtr.Zero)

{

// do the WCF call

}

This will undo impersonation for the length of the WCF call.

HTH, dominick






Re: Windows Communication Foundation (Indigo) WCF hosted in IIS with Windows Authentication

Jaga

Hi Dominick,

Thanks for your inputs in this regard.

You had mentioned about using <location> element in web.config.

Kindly let me know if I need to provide the settings as below :

<location path="MembersOnly">
<system.web>
<authorization>
<allow users="*" />
<deny users=" " />
</authorization>
</system.web>
</location>

Also please let me know how does providing authoriztaion at the ASP.NET web application affect the security of WCF

Regards,

Jaga





Re: Windows Communication Foundation (Indigo) WCF hosted in IIS with Windows Authentication

dominick.baier

This has nothing to do with authorization - you need to know if you need to impersonate the client for the WCF call - yes or no... !

if no - you can disable impersonation on a page by page basis, like this:

<location path="PageWithoutImpersonation">

<identity impersonate="false" />

</location>

or using the code I showed you earlier.

HTH






Re: Windows Communication Foundation (Indigo) WCF hosted in IIS with Windows Authentication

Jaga

Hi,

I want to impersonate my client only to my ASP.NET web server. I do not want to want to impersonate the call from my ASP.NET web server to the WCF service. How do I go about achieveing this

Regards,

Jaga





Re: Windows Communication Foundation (Indigo) WCF hosted in IIS with Windows Authentication

dominick.baier

OK - I already gave you all the info you need - just re-read the thread.