StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAuthentication/Impersonation issue with ASP.NET call to WCF Service
text
Body
copied!<p>I have a web page that calls a WCF service that makes a sql database call using Integrated Security. I get an error saying, "Login failed for user 'CorpDomain\ServerName01$'". I want it so that it all layers will execute under the user's AD credetials (working in an intranet), ie: "CorpDomain\Albert".</p> <p>On the server (Win 2008/IIS 7), I have Windows Authentication turned on and everything else off (including Anonymous) under Authentication for both the web client and the WCF service. </p> <p>Here's my client web.config:</p> <pre><code><configuration> <system.web> <compilation debug="true" targetFramework="4.0"/> <authentication mode="Windows"/> <identity impersonate="true"/> <customErrors mode="Off"/> </system.web> <system.serviceModel> <bindings> <netTcpBinding> <binding name="NetTcpBinding_IMyService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />  </binding> </netTcpBinding> </bindings> <client> <endpoint address="net.tcp://myurladdress/MyServices/Service.svc" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IMyService" contract="MySvc.IMyService" name="NetTcpBinding_IMyService" /> </client> <behaviors> <endpointBehaviors> <behavior name="ClientUserNameBehavior"> <clientCredentials> <windows allowedImpersonationLevel="Impersonation"/> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> </system.serviceModel> </code></pre> <p></p> <p>Here's my WCF service web.config:</p> <pre><code><?xml version="1.0"?> <configuration> <system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Windows"/> <identity impersonate="true"/> </system.web> <connectionStrings>  <add name="myDB" connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=Carbon;Data Source=mydbname,10600" providerName="System.Data.SqlClient"/> </connectionStrings> <system.serviceModel> <services> <service name="WCFServices.MyService" behaviorConfiguration="MyServiceBehavior"> <host> <baseAddresses> <add baseAddress="net.tcp://localhost:8000/WCFServices/MyService"/> </baseAddresses> </host> <endpoint address="" binding="netTcpBinding" contract="WCFServices.IMyService" bindingConfiguration="tcpWindowsSecurity" bindingNamespace="http://WCFServices.MySvc/"/> <endpoint address="MEX" binding="mexTcpBinding" contract="IMetadataExchange"/> </service> </services> <behaviors> <serviceBehaviors> <behavior name="MyServiceBehavior"> <serviceMetadata httpGetEnabled="false"/> <serviceDebug includeExceptionDetailInFaults="true"/> <serviceAuthorization impersonateCallerForAllOperations="true" /> </behavior> </serviceBehaviors> </behaviors> <bindings> <netTcpBinding> <binding name="tcpWindowsSecurity" maxReceivedMessageSize="524288" maxBufferSize="524288">  </binding> </netTcpBinding> </bindings>  <serviceHostingEnvironment > <serviceActivations> <add relativeAddress="~/MyService.svc" service="WCFServices.MyService"/> </serviceActivations> </serviceHostingEnvironment> </system.serviceModel> <system.webServer> <modules runAllManagedModulesForAllRequests="true"/> </system.webServer> </configuration> </code></pre> <p>on the <strong>client side</strong>:</p> <p>Request.ServerVariables["AUTH_USER"].ToString() = "CorpDomain\Albert"</p> <p>Page.User.Identity.Name = "CorpDomain\Albert"</p> <p>System.Threading.Thread.CurrentPrincipal.Identity.Name = "CorpDomain\Albert"</p> <p>System.Security.Principal.WindowsIdentity.GetCurrent().Name = "NT AUTHORITY\NETWORK SERVICE"</p> <p>My client code is basically:</p> <pre><code>MySvc.MyServiceClient svc = new MySvc.MyServiceClient(); svc.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation; Response.Write(svc.GetServiceHtml()); </code></pre> <p>and on the <strong>WCF side</strong>:</p> <p>ServiceSecurityContext.Current.WindowsIdentity.Name = "NT AUTHORITY\NETWORK SERVICE"</p> <p>server side code is:</p> <pre><code>[OperationBehavior(Impersonation = ImpersonationOption.Required)] public string GetServcieHtml() { string name, link; StringBuilder html = new StringBuilder(); html.Append(ServiceSecurityContext.Current.WindowsIdentity.Name); try { using (SqlConnection conn = GetDataConnection()) { conn.Open(); SqlCommand sqlcom = new SqlCommand("dbo.runsomeproc", conn); sqlcom.CommandType = CommandType.StoredProcedure; SqlDataReader sqlDataReader = sqlcom.ExecuteReader(); while (sqlDataReader.Read()) { // ** SOME CODE HERE ** } conn.Close(); } } catch (Exception ex) { html.AppendLine("<br><br>ERROR:" + ex.Message + " " + ex.InnerException); return html.ToString(); } return html.ToString(); } </code></pre> <p><strong>Note:</strong> The error I get is: ERROR:Login failed for user 'CorpDomain\ServerName01$'. </p> <p>Any idea what I'm doing wrong?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload