WCF and Windows authentication

Question

I'm trying to get a WCF service set up on our server using windows authentication and IIS 7. When calling the service I get the following error message.

Cannot open database "TestDB" requested by the login. The login failed. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'.

Here is my config file for the WCF service.

<?xml version="1.0"?>

<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->

<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
      <customErrors mode="Off"/>
      <authentication mode="Windows"/>
    </system.web>

    <system.serviceModel>
      <bindings>
        <basicHttpBinding>
          <binding name="binBulletin">
            <security mode="TransportCredentialOnly">
              <transport clientCredentialType="Windows" />
            </security>
          </binding>
        </basicHttpBinding>
      </bindings>
      <services>
        <service behaviorConfiguration="BulletinBoardService.BulletinBehavior"
          name="BulletinBoardService.BulletinService">
          <endpoint address="" binding="basicHttpBinding" bindingConfiguration="binBulletin"
            name="epBulletin_Basic" contract="BulletinBoardService.IBulletinService">
            <identity>
              <dns value="localhost" />
            </identity>
          </endpoint>
          <endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="binBulletin"
            name="epBulletin_Mex" contract="IMetadataExchange" />
        </service>
      </services>
      <behaviors>
        <serviceBehaviors>
          <behavior name="BulletinBoardService.BulletinBehavior">
            <serviceMetadata httpGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="true" />
            <serviceAuthorization impersonateCallerForAllOperations="true" />
          </behavior>
        </serviceBehaviors>
      </behaviors>
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
    <system.webServer>
      <security>
        <authentication>
          <windowsAuthentication enabled="true"/>
        </authentication>
      </security>
    </system.webServer>
</configuration>

Any tips would be appreciated.

Answer 1

You should grant access permission in the SQL Server for the NT AUTHORITY\NETWORK SERVICE account if you use local SQL Server or for DomainName\AspNetServer$ (where AspNetServer is the name of the server where IIS7 are running). For details see for example the last section of http://msdn.microsoft.com/en-us/library/ff647402.aspx.

UPDATED: First of all you should don't forget to configure virtual directory of IIS to switch on "Windows Authentication" and switch off "Anonymous Authentication".

I am not sure that basicHttpBinding is the best choice for you. You wrote almost nothing about your WCF service so I have a problem to recommend you a way. Look at http://msdn.microsoft.com/en-us/library/ms734769.aspx for example to see which ways you can choose.

To access a local DB you can use user impersonation. It can be implemented either generally per WFC call or you can do temporary impersonation before accessing of DB. (see http://www.danrigsby.com/blog/index.php/2008/04/17/impersonate-a-clients-identity-in-wcf/ for example for details).

The main problem is that there are no best way to access database from a service. If you choose impersonation for example. It can looks like nice because inside of database one sees from which user the request come. But in a lot of real situation the usage of impersonation not really solve a problem, but only forward it. Who should administrate permission inside of the database? With respect of which tool one should grant permission to users. Who makes user administration in your corporation? Do one only user administration inside of Active Directory or do one also administration of SQL Server databases? So because of existing processes in your corporation the user impersonation could be not the best choice.

There are a lot of different scenarios to access DB from WCF. For example in the last project which I implemented I wrote a WCF service which has a lot of methods. Inside of every method direct at the beginning of the method I used Microsoft Authorization Manager API to verify whether the user has permission for the corresponding operation or not. One used Authorization Manager Snap-In to grant permission to user through assigning it to some application role. And for accessing to the database I used one user account (like NT AUTHORITY\NETWORK SERVICE in your case). Nevertheless the solution was secure and one had a tool for the user administration which corresponds to business requirements.

I have too less information about you environment and business requirements to give you one recommendation. I want only explain that you probably need to make a security concept of your solution based on different possibilities which you have.