Integrated security in connection string.

Question

I just tried to move one of WCF service to windows authentication. using this connection string

<add name="MembershipConnection" connectionString="Data Source=DBADDRESS ;Initial Catalog=aspNetMembership;Persist Security Info=True;Integrated Security=SSPI;"/>

WCF service is hosted in IIS (2003) and the user I have setup under 'Directory Security' as the user we have setup for this app that has permission setup in SQL. The Application Pool setup for this app is running under 'Network Service' user, but I get this exception when trying to use the service.

System.Data.SqlClient.SqlException: Login failed for user 'Domain\MAchineName$'

I talked to our system admin and he says that the $ at the end of the user-name means that the machine itself if trying to authenticate not the user.

any ideas on why the machine is trying to authenticate rather than the user setup in IIS?

Answer 1

You need to configure your service to impersonate the caller (the easy part, eg. using [OperationBehavior(Impersonation = ImpersonationOption.Required)]) then you'll need to set up IIS for contrained delegation. See

• Delegation and Impersonation with WCF
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.

Answer 2

Actually, it's working as advertised: The "Network Service" user will authenticate as the machine for any remote connections. From msdn docs on ithere :

A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers

If you want a specific account, you'll need to create it and set up the app pool to run under that account.

If you want to authenticate as the user, you'll need to set up delegation.