tags:

views:

725

answers:

1
Q: 

Error in WCF client running under IIS 5.0 with server on Windows 2008

I have a .Net 3.5 SP1 WCF service running under IIS 7 on a Windows 2008 machine. When I try to connect to this service from an IIS hosted WCF service running under IIS 5.0 (Windows XP) .Net 3.5 SP1, I get the following error:

The token provider cannot get tokens for target: http://(URL for WCF service)

I've built a simple console application that can successfully connect to the WCF service using the exact same configuration. I've also built a simple web application hosted under the WebDev server (ASP.Net server that comes with Visual Studio 2008) and it is able to successfully connect to the WCF service. When I configured a virtual directory within IIS (Windows XP) to point at the same directory as the WebDev server, I get the following error:

No credentials are available in the security package

But, if I set the web.config to turn impersonation on using my logon credentials, it works fine. This is not a good long term solution for obvious reasons. The one difference that I've noted between IIS and the WebDev servers are the user that each process is running under. IIS runs under the ASPNet account and WebDev runs under my account.

Here's the config for the WCF section on the client:

<system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="mexBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <wsHttpBinding>
    <binding name="FABindings" maxReceivedMessageSize="2147483647">
      <readerQuotas maxStringContentLength="300000"/>
      <security mode="Message">
        <message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="http://&lt;server url>/FinancialAggregator/v3/Services/FAService.svc"
      binding="wsHttpBinding" bindingConfiguration="FABindings"
      contract="ServiceReference1.IFilteredService" name="FAServiceEndpoint">
    <identity>
      <servicePrincipalName value="<UsernameRunningTheAppPoolOnW2k8>" />
    </identity>
  </endpoint>
</client>

Here's the server config (as requested):

  <system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBinding" maxReceivedMessageSize="2147483647">
      <security mode="Message">
        <message establishSecurityContext="false" negotiateServiceCredential="false" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
    <behavior name="mexBehavior">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<services>
  <service behaviorConfiguration="mexBehavior" name="FCSAmerica.Financial.Aggregator.Service.FilteredService">
    <endpoint name="FAServiceEndpoint" address="" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding" contract="FCSAmerica.Financial.Aggregator.Service.IFilteredService">
    </endpoint>
  </service>
</services>

Any thoughts on the cause of this error?

Thanks!

A: 

When you access the services via IIS, with impersonate = false, then it is the ASPnet account which is used to access the service on the Windows 2008 machine.

The ASPnet account is a local account and therefore does not have rights on the 2008 machine.

There are 3 ways you could solve this:

  • Allow annonymous access to the service on the Windows 2008 machine
  • Use impersonate = true (as you have)
  • Change the identity of the application pool from aspnet to a domain account with the required access.
Shiraz Bhaiji  2009-06-24 11:03:10
Thank you for your response! However, I'm still a little confused. When you say use impresonate = true (as you have), does this mean I shouldn't be getting this error? Also, to address your other points, allowing annonymous access is not acceptable in this environment, and I can't change the identity of the application pool because my development environment is Windows XP running IIS 5.1, which doesn't have application pools.Thanks again!Matt
Matt Ruwe  2009-06-25 12:48:34

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability