WCF service with net.tcp binding (hosted on IIS 7) doesn't work under domain user (for app pool)
https://stackoverflow.com/questions/13134795
-
21-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a WCF service with the following configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="TransportWithMessageCredential" >
<transport clientCredentialType="None"/>
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service behaviorConfiguration="CommonBehavior" name="Megatec.MasterTourService.AdminService">
<endpoint address="Windows" binding="netTcpBinding" bindingConfiguration="CommonWindowsBinding" name="Megatec.MasterTourService.Contracts.IAdminServiceWindows" contract="Megatec.MasterTourService.Contracts.IAdminService">
<identity>
<dns value="WCFServer" />
</identity>
</endpoint>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="CommonBehavior">
<dataContractSerializer maxItemsInObjectGraph="10000000" />
<serviceMetadata httpGetEnabled="true" policyVersion="Policy15" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Megatec.MasterTourService.Security.CustomUserNameValidator, Megatec.MasterTourService.Security" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
Code
public class AdminService : BaseAuthService, IAdminService
{
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public bool HasRole(string roleName)
{
//work with database
}
}
I host this service on IIS 7, for application pool I set domain user (Master\MyLogin). I need domain user for delegation (according to step 4).
It works fine, when I consume service from a local client (the same computer, under Master\MyLogin or some other domain user). But when I tried to consume service from the other network computer, it failed. Everything works fine with ApplicationPoolIdentity.
Master\MyLogin is a administrator on the computer with service (but he isn't a domain admin).
Maybe, there is rights, which should be granted to Master\MyLogin?
Update. Client exception.
At first, there was SecurityNegotiationException. Next, I've added section
<identity>
<userPrincipalName value="myLogin@Mydomain" />
</identity>
New exception was MessageSecurityException.
The identity check failed for the outgoing message. The expected identity is "identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn)" for the 'net.tcp://dev4-10:5012/IISTest/AdminService.svc/Windows' target endpoint.
How should I configure <identity> for client and service?
Solution
Unfortunatelly, Transport/TransportWithMessageCredential security mode doesn't support such work with client credentials. I've changed CommonWindowsBinding in the following way
<binding name="CommonWindowsBinding" maxReceivedMessageSize="40000000">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
OTHER TIPS
I think you have to use TransportWithMessageCredential instead of just Transport. Just using will get your service going over HTTPS but has nothing to do with using credentials for authentication.
If you use you can use HTTPS and have username and password.
If you really do just want to use Transport, take out the node from your service config.
