tags:

views:

554

answers:

1
Q: 

WCF Authentication Access Group

I have 2 WCF services, (A and B), where A calls B.

WCF Service A runs using identity ServiceUserA (as set in application pool). WCF Service B runs using identity ServiceUserB (as set in application pool).

WCF Service B needs to allow access to users in AD group ServiceBAccessGroup. ServiceUserA is part of ServiceBAccessGroup.

When Service A tries to connect to Service B, it gives this error:

SecurityNegotiationException A call to SSPI failed, see inner exception: "The target principal name is incorrect"

When both ServiceA and Service B were running as Network Service, this worked fine.

How do I allow users part of ServiceBAccessGroup to connect to ServiceB?

Edit: More info regarding environment:

.net 3.5, IIS 7.0 (WAS), through netTcpBinding, Windows Server 2008.

Edit (2): Yep, thx for asking Tuzo. Here is the client endpoint connection:

  <client>
      <endpoint address="net.tcp://MyServerName:812/v1_0/ServiceB.svc/ServiceB" binding="netTcpBinding" contract="IServiceB" name="ServiceBEndpoint" >
</endpoint>
 </client>

Edit (3):

Thanks for your help, it has pointed me closer to the direction of my goal.

I believe my issue is to do with Authorisation than Authentication. I do not want to authenticate as the ServiceUserB because that would defeat the purpose of our security model.

Using the following did work:

<identity>
  <serviceProviderName value="ServiceB/MyServerName:812" />
</identity>

I will give you the correct answer as it was indeed correct and helped me get to my destination.

Thanks again!

+1  A: 

Try adding an identity element to your ServiceA configuration:

<client>
  <endpoint address="net.tcp://MyServerName:812/v1_0/ServiceB.svc/ServiceB" binding="netTcpBinding" contract="IServiceB" name="ServiceBEndpoint" >
      <identity>
          <userPrincipalName value="user@domain" />
      </identity>
  </endpoint>
</client>
Tuzo  2009-09-15 04:17:42
Hmm, I see where you are coming from, however it did not work when I added it in. The WCF service A is already running under the identity ServiceUserA (set in the application pool) so this value is already set.
Russell  2009-09-15 04:26:30
I received a different exception after inserting the identity into the endpoint. Here is the message:"Either the target name is incorrect or the server has rejected the client credentials."How do I allow it to connect to ServiceB? Note: I do not want to use ServiceUserB as the identity, because I need ServiceA to connect using its own credential.
Russell  2009-09-15 04:32:00
This is the updtaed configuration:<client> <endpoint address="net.tcp://MyServerName:812/v1_0/ServiceB.svc/ServiceB" binding="netTcpBinding" contract="IServiceB" name="ServiceBEndpoint" > <identity> <userPrincipalName value="ServiceUserA@MyDomain" /> </identity> </endpoint></client>Still does not authenticate. Any ideas? Thanks in advance
Russell  2009-09-15 05:17:45
See edit(3) for conclusion. :)
Russell  2009-09-15 07:40:37

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication