0

I try to secure my WCF service by an AD based logon system. I've created an AD group named "TestUsers". My user account is member of that group. The WCF Service is hosted in IIS.

But i always get the exception "SecurityAccessDeniedException".

My WCF Service looks like:

Web.Config

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
        <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>    
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>

</configuration>

IService1.cs (Service interface): Just one method:

string GetWelcomeMessage();

Service1.svc.cs:

public class Service1 : IService1
    {
        [PrincipalPermission(SecurityAction.Demand, Role = @"mydomain\TestUsers")]
        public string GetWelcomeMessage()
        {
            return "hello world";
        }
    }

Any ideas what's wrong???

Any help would be greatly appreciated.

user1011394
  • 1,656
  • 6
  • 28
  • 41

1 Answers1

1

Make sure that the account that runs the service that hosts IIS is permitted to perform security checks in the AD.

Also change

includeExceptionDetailInFaults="false"

to

includeExceptionDetailInFaults="true"

for now, this might help you analyze the problem.

flayn
  • 5,272
  • 4
  • 48
  • 69
  • Thanks for your reply Florian. The account that runs the service is permitted to perform security checks. I've changed includeExceptionDetailInFaults to true. But there are no additional infos. – user1011394 Sep 19 '13 at 13:10
  • Does you code work when you remove the Attribute? You can also verify your binding by removing the attribute and inspecting ServiceSecurityContext.Current.WindowsIdentity. – flayn Sep 19 '13 at 13:22
  • Of course, the code does work without "[PrincipalPermission(SecurityAction.Demand, Role = @"mydomain\TestUsers")]". – user1011394 Sep 19 '13 at 13:41
  • Just asking :) What is the value of ServiceSecurityContext.Current.WindowsIdentity? – flayn Sep 19 '13 at 13:46
  • ;) In the consuming application? ServiceSecurityContext.Current is NULL mhhhhhh – user1011394 Sep 19 '13 at 14:01
  • No, inside your GetWelcomeMessage() method. – flayn Sep 19 '13 at 14:02
  • Inside the GetWelcomeMessage() method? I'm not able to show it because of the "Request for principal permission failed." exception when I call the method. – user1011394 Sep 19 '13 at 14:10
  • That might be smth. completly different. Check here: http://stackoverflow.com/questions/8812926/system-security-securityexception-request-for-principal-permission-failed – flayn Sep 19 '13 at 14:12
  • I've already read the article. Maybe you're right, it could be more than just one failure. Thanks Florian. – user1011394 Sep 19 '13 at 14:20
  • Ok. Finally solved it... I have to use it with HTTPS binding, HTTP will not work (in my case)... and you have to put your services (contracts) in the web.config.... Thanks @flo – user1011394 Sep 19 '13 at 14:42