Problem Connecting to WCF Service on a Server

Question

I have set up a WCF service on a server which lives in its own Workgroup. I've tried to make a TCP/IP connection to it from a client that lives on the corporate domain. When I try to open a connection, I get a SecurityNegotiationException with the message:

"A remote side security requirement was not fulfilled during authentication. Try increasing the ProtectionLevel and/or ImpersonationLevel." The inner exception reads: "The network logon failed"

After speaking with some coworkers about the issues and performing some google research, I came to the conclusion that the issue is that the client is attempting to log on to the server using my corporate network login and password. Since the server is not part of the corporate network, it has no knowledge of my corporate identity and then rejects the login / connection attempt. Whether this analysis is correct or not, I have no idea.

Google results seem to suggest that perhaps the solution is that I need to impersonate user account that exists on the server machine. --I have also stumbled across this codeproject article which demonstrates user impersonation. Since the only account on the server is Administrator with no password, I tried domain as the computer's ip address as "10.0.0.11", username as "Administrator", and password as "". http://www.codeproject.com/KB/dotnet/UserImpersonationInNET.aspx?display=Print Unfortunately, it fails with the message:

"Logon failure: unknown user name or bad password"

Another hint to the problem: When the client and server are both machines on the corporate network, there are no connection problems at all.

How can I resolve the error and complete the connection to the server? Even though it is not a best practice, I am completely okay with removing any security so I can keep this project moving forward

Answer 1

I know of no way to have a workgroup trust a domain, which means you have a couple of choices, as i see it

1. Add another endpoint in your WCF service that uses HTTP (a web service endpoint) and use this from the domain. This gets around the security problem, as you can impersonate here, or even set up a specific user that can access goodies in your workgroup server.

2. Whack down security in the WCF service. i would have to think about how to do this, but it is not a good idea anyway.

3. Create a domain and get a trust relationship.

The code project you mentioned is not dealing with impersonation in a way that is directly useful to WCF, as the authentication happens before you can even hit this code. I imagine you can whack at the framework bits to do it, but that would be nasty. There might be a way to use the code in an HTTP endpoint, but that can already be done without incurring the overhead of adding code that circumvents windows security.

Answer 2

Until you grasp the details, best way to learn is to disable security. You have to create a new binding configuration at the server side with security mode set to "None". Name it "NoSecurity" for convenience. This configuration must have the same type (wsHttpBinding, etc.) you use at your endpoint. Then set the bindingConfiguration property of your endpoint to "NoSecurity".

Update your client configuration and you are set to go.