Windows authentication in WCF & IIS to access a database

Question

Hi there,

I've got a WCF service I want to use to access a SQL db (via Linq2SQL at the moment), but the trusted security in a live IIS environment doesn't seem to use the right credentials - I've tried to follow the related posts here, but can't seem to quite get it. I'd be really grateful if someone could spot my mistake ...

in the Endpoint config, I've set it up to use BasicHttpBinding, with the following configuration

<basicHttpBinding> <binding name="authHttpBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows"/> </security> </binding> </basicHttpBinding>

I've set the system.web settings to:

`<authentication mode="Windows" />
    <identity impersonate="true" />`

on the IIS server, I've added a new AppPool, set the Identity to ApplicationPoolIdentity and ManagedPipeLine to Integrated. On the actual web application, set to my new AppPool, I've set Windows Authentication to "Enabled", and tried ASP.Net Impersonation on both enabled and disabled

When I try calling the WCF service, it runs, but when it makes an actual call to a stored proc via Linq2SQL (to a database on a remote server using Trusted Security), I get the following error: Login failed for user 'domain\ machinename$' - the machine name with a dollar sign at the end

which looks to me a lot like I've failed to delegate the correct identity (I can access the actual database fine through Management Studio.

Grateful for any suggestions ...

thanks

Toby

Answer 1

Hi Toby,

Accessing your db shouldn't have anything to do with your WCF security settings. I would remove security settings from your binding config and also the impersonation setting in the system.web. You shouldn't need either of these.

Check your connection string settings in your config and make sure that if you are using Windows integrated security to access your db that you have the correct permissions on your database. IIS will attempt to connect to your database using the identity configured in the apppool so you need to make sure that account has access. If you have a named user, then make sure your credentials are set correctly. ConnectionStrings.com has various examples of how to set this correctly.

HTH.

Steve

Answer 2

Hi Toby,

yes it is possible. In this case, you need to make sure your security setting is set to Windows (which is the default) and make sure your services are primed for impersonation. You can do this programmatically or declaratively.

You need to instruct WCF to allow impersonation for the service/method you want by setting the appropriate ImpersonationOption attribute to either required or allowed.

[OperationBehavior(Impersonation=ImpersonationOption.Allowed)]

Because you are accessing resources across the network, you need top make sure the impersonation level is set to delegate, not impersonate, unless the resources you're accessing are local. This is set at the client endpoint behaviour level.

 <clientCredentials>
        <windows allowedImpersonationLevel="[Impersonation or Delegate]"/>
 </clientCredentials>

Hope this helps.

Steve