Error in WCF client running under IIS 5.0 with server on Windows 2008
https://stackoverflow.com/questions/897718
-
23-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a .Net 3.5 SP1 WCF service running under IIS 7 on a Windows 2008 machine. When I try to connect to this service from an IIS hosted WCF service running under IIS 5.0 (Windows XP) .Net 3.5 SP1, I get the following error:
The token provider cannot get tokens for target: http://(URL for WCF service)
I've built a simple console application that can successfully connect to the WCF service using the exact same configuration. I've also built a simple web application hosted under the WebDev server (ASP.Net server that comes with Visual Studio 2008) and it is able to successfully connect to the WCF service. When I configured a virtual directory within IIS (Windows XP) to point at the same directory as the WebDev server, I get the following error:
No credentials are available in the security package
But, if I set the web.config to turn impersonation on using my logon credentials, it works fine. This is not a good long term solution for obvious reasons. The one difference that I've noted between IIS and the WebDev servers are the user that each process is running under. IIS runs under the ASPNet account and WebDev runs under my account.
Here's the config for the WCF section on the client:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="FABindings" maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="300000"/>
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://<server url>/FinancialAggregator/v3/Services/FAService.svc"
binding="wsHttpBinding" bindingConfiguration="FABindings"
contract="ServiceReference1.IFilteredService" name="FAServiceEndpoint">
<identity>
<servicePrincipalName value="<UsernameRunningTheAppPoolOnW2k8>" />
</identity>
</endpoint>
</client>
Here's the server config (as requested):
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding" maxReceivedMessageSize="2147483647">
<security mode="Message">
<message establishSecurityContext="false" negotiateServiceCredential="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="mexBehavior" name="FCSAmerica.Financial.Aggregator.Service.FilteredService">
<endpoint name="FAServiceEndpoint" address="" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding" contract="FCSAmerica.Financial.Aggregator.Service.IFilteredService">
</endpoint>
</service>
</services>
Any thoughts on the cause of this error?
Thanks!
Solution 2
I guess the ultimate answer to this question is to simply upgrade to an OS that allows you to set the identity of an application pool, which I have done ages ago.
Thanks for the consideration.
Matt
OTHER TIPS
When you access the services via IIS, with impersonate = false, then it is the ASPnet account which is used to access the service on the Windows 2008 machine.
The ASPnet account is a local account and therefore does not have rights on the 2008 machine.
There are 3 ways you could solve this:
- Allow annonymous access to the service on the Windows 2008 machine
- Use impersonate = true (as you have)
- Change the identity of the application pool from aspnet to a domain account with the required access.
