StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POService does not receive client credentials
text
Body
copied!<p>I cannot seem to authorize service contract operations based on the credentials of the user who is calling my WCF service.</p> <p>Service Web.Config</p> <pre><code><system.serviceModel> <services> <service name="WCFService.Service" behaviorConfiguration="DefaultServiceBehavior"> <host> <baseAddresses> <add baseAddress="net.tcp://localhost:8080/WCFService"/> </baseAddresses> </host>  <endpoint address="" binding="netTcpBinding" contract="WCFService.IService" bindingConfiguration="NetTcp_Secured"/> <endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange" /> </service> </services> <bindings> <netTcpBinding> <binding name="NetTcp_Secured"> <security mode="Transport"> <message clientCredentialType="Windows" /> <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" /> </security> </binding> </netTcpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="DefaultServiceBehavior"> <serviceMetadata httpGetEnabled="false" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </code></pre> <p>Client Web.Config</p> <pre><code><system.serviceModel> <behaviors> <endpointBehaviors> <behavior name="DefaultClientBehavior"> <clientCredentials> <windows allowNtlm="true" allowedImpersonationLevel="Delegation" /> <httpDigest impersonationLevel="Impersonation"/> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <bindings> <netTcpBinding> <binding name="NetTcpBinding"> <security mode="Transport"> <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" /> <message clientCredentialType="Windows"/> </security> </binding> </netTcpBinding> </bindings> <client> <endpoint address="net.tcp://localhost:8080/WCFService/Service.svc" binding="netTcpBinding" bindingConfiguration="NetTcpBinding" behaviorConfiguration="DefaultClientBehavior" contract="TestWcfService.IService" name="NetTcpBinding_IService"> </endpoint> </client> </system.serviceModel> </code></pre> <p>Service Code...</p> <pre><code>[OperationBehavior(Impersonation = ImpersonationOption.Required)] public string GetCurrentPrinciple() { return "Windows Identity: " + WindowsIdentity.GetCurrent().Name + " \\ " + "Thread Identity: " + System.Threading.Thread.CurrentPrincipal.Identity.Name; } </code></pre> <p>I believe this is the reason why this attribute causes a security exception...</p> <pre><code>[PrincipalPermission(SecurityAction.Demand, Name = @"DOMAIN_NAME\User")] </code></pre> <p>The method can be called just fine across the service which makes me think that the security settings are ok. However, the above code, which runs in the service, always returns the name of the App Pool identity and not the identity of the user who called the service. </p> <p>Doing the following in the immediate window of the service in a break point gives the following...</p> <pre><code>? WindowsIdentity.GetCurrent() {System.Security.Principal.WindowsIdentity} AuthenticationType: "Negotiate" Groups: {System.Security.Principal.IdentityReferenceCollection} ImpersonationLevel: Impersonation IsAnonymous: false IsAuthenticated: true IsGuest: false IsSystem: false Name: "IIS APPPOOL\\DefaultAppPool" Owner: {S-1-5-SAME-AS-BELOW-} Token: 2300 User: {S-1-5-SAME-AS-ABOVE-} </code></pre> <p>So I <em>am</em> authenticated - I just don't have the callers name!</p> <p>Both service and client are set to Windows Authentication. If I do this in the client...</p> <pre><code>protected void Page_Load(object sender, EventArgs e) { lblCurrentUser.Text = "Current Website User: " + HttpContext.Current.User.Identity.Name; } </code></pre> <p>... it returns the correct domain and and username so I know the client has correctly ascertained my Windows credentials via the browser.</p> <p>I am just not sure what I am missing here as to why the service does not report the client credentials.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload