WCF windows authentication with IIS and Application Pool

Question

I have a WCF Server running on IIS 6 using a application pool with a custom identity

right now the I looked on the web for two days and I can't find the exact answer to my problem. I know there are a lot of similar ones outer there

On IIS6 the virtual directory has anonymous access disable and Integrated Windows authentication enabled. The service account is on the same domain as the machine. I will call it svcE. I added svcE to the IIS_WPG group.

Now, first issue is when I select that application pool with svcE to work on Virtual Directory, call it appDir, then when I navigate to appDir I get prompted for credentials but if I use the network service account I do not and verify that I am logged in as me.

What I want to do is have the service run under the account svE because it has access to the database, without putting that info in the WebConfig file.

I have a web service with the config file

<authentication mode="Windows"/>

<bindings>
        <basicHttpBinding>
            <binding name="default">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows"/>
                </security>                  
            </binding>
        </basicHttpBinding>
    </bindings>

<endpoint address="" binding="basicHttpBinding" bindingConfiguration="default" contract="<removed>">
 <identity>
  <dns value="localhost" />
 </identity>
</endpoint>

The Web config using the service has

<basicHttpBinding>
            <!-- Create one Binding for all three services, save space-->
            <binding name="BasicHttpBinding_PricingService" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" proxyCredentialType="Windows"
                        realm="" />
                    <message clientCredentialType="UserName" algorithmSuite="Default" />
                </security>
            </binding>

        </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="<address>.svc"
            binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_PricingService"
            contract="<contract>" name="<name>" />

Ultimatly what I am trying to achieve is

Only Windows Authenticated people can call the service --> Then the service uses a serivce account to have all interaction with the database.

Note that if I skip the first part and add annon access then it works and called the database fine

Thank you for the help

Answer 1

It appears that your service is impersonating the user when the user connects with windows authentication.

When you use annonymous authentication, there is no impersonation therefore no problem.

When you use windows authentication and a domian account, that account is not marked as it can impersonate maybe that is why you get the login, network service has that right by default.

Try:

<authentication mode="Windows" impersonate="false"/>

Answer 2

If you want to make the db call as a particular account, you can impersonate that account for the span of the call:

using ( WindowsImpersonationContext contexts = (new WindowsIdentity("account").Impersonate()){ db.MakeCall(); }