I have an asp.net mvc 2 web application that connects to a WCF web service hosted in IIS. This is in an intranet environment using windows authentication. I need to authenticate the user connecting to the web application inside inside of my WCF service, but the WCF cannot see who connected to the web app.
This can't be a new problem, so how have some of you solved this issue?
Is a shared session an option?
WCF offers an attribute (AspNetCompatibilityRequirements) that (presumably among other things) makes the session state ASP.net compatible. This in turn allows you to use out-of-process session state management that can be shared between applications.
You can enable this using
[AspNetCompatibilityRequirements(RequirementsMode=AspNetCompatibilityRequirementsMode.Allowed]
And then in your configuration
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
...
</system.serviceModel>
If you go the SQL Server route, I wrote this a while back. It is sharing between asp.net and an asmx service, but on the SQL Server side I imagine things are the same. Basically you need to make SQL Server recognize both parts of the system as the same application.
WCF also uses the same membership providers as ASP.net, so you might be able to get something going that way.
If you are using Windows Authentication, one option may be to use delegation to pass the caller's identity from the web app to the WCF service.
Take a look at some of the intranet application scenarios on the below link:
The following intranet scenarios are presented with security configuration guides and checklists that you might find useful:
Chapter 9 - Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)