Here is my scenario for a problem I can't solve. I am hosting a 3.5 WCF
service in IIS on Windows Server 2003. The service works fine with the WCF
test client in Visual Studio 2008 and from an ASP.Net client hosted on my
development machine in VS2008. As soon as I deploy the ASP.net client to the
"Same" IIS server, I get Access Denied messages.
My goal is to use AD security groups so the authenticated user on the
ASP.net page should be in the group to access the service. I have validated
all of this is true.
Please Help. I have spent way too much time on this and just can't find the
problem.
Here are the relevant artifacts:
Error Message from IIS when attempting to make call to service
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details:
System.ServiceM odel.Security.S ecurityAccessDe niedException: Access is denied.
Source Error:
Line 260:
Line 261: public HSMembersServic e.Member GetMember(strin g MemberId) {
Line 262: return base.Channel.Ge tMember(MemberI d);
Line 263: }
Line 264:
Client Services portion of web.config
<system.service Model>
<bindings>
<wsHttpBindin g>
<binding name="WSHttpBin ding_IHSMembers Service" closeTimeout="0 0:01:00"
openTimeout="00 :01:00" receiveTimeout= "00:10:00" sendTimeout="00 :01:00"
bypassProxyOnLo cal="false" transactionFlow ="false"
hostNameCompari sonMode="Strong Wildcard"
maxBufferPoolSi ze="524288" maxReceivedMess ageSize="65536"
messageEncoding ="Text"
textEncoding="u tf-8" useDefaultWebPr oxy="true" allowCookies="f alse">
<readerQuotas maxDepth="32" maxStringConten tLength="8192"
maxArrayLength= "16384"
maxBytesPerRead ="4096" maxNameTableCha rCount="16384" />
<reliableSessio n ordered="true" inactivityTimeo ut="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentia lType="Windows" proxyCredential Type="None"
realm="" />
<message clientCredentia lType="Windows"
negotiateServic eCredential="tr ue"
algorithmSuite= "Default" establishSecuri tyContext="true " />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint
address="http://HOSTNAMECHANGED FORSECURITYPURP OSES/MembershipServi ce/HSMembersServic e.svc"
binding="wsHttp Binding"
bindingConfigur ation="WSHttpBi nding_IHSMember sService"
contract="HSMem bersService.IHS MembersService"
name="WSHttpBin ding_IHSMembers Service">
<identity>
<servicePrincip alName value="host/HOSTNAMECHANGED FORSECURITYPURP OSES" />
</identity>
</endpoint>
</client>
</system.serviceM odel>
Relevant Service portion of web.config
<system.service Model>
<services>
<service name="HSMembers Service.HSMembe rsService"
behaviorConfigu ration="HSMembe rsService.HSMem bersServiceBeha vior">
<!-- <host>
<baseAddresse s>
<add baseAddress =
"http://localhost:8731/Design_Time_Add resses/HSMembersServic e/HSMembersServic e/" />
</baseAddresses>
</host>-->
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address
supplied above -->
<endpoint address ="" binding="wsHttp Binding"
contract="HSMem bersService.IHS MembersService"
bindingConfigur ation="wsHttpBi ndingConfig">
<!--
Upon deployment, the following identity element should be
removed or replaced to reflect the
identity under which the deployed service runs. If removed,
WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhos t"/>
</identity>-->
</endpoint>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to
describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be
secured or removed before deployment -->
<endpoint address="mex" binding="mexHtt pBinding"
contract="IMeta dataExchange"/>
</service>
</services>
<bindings>
<wsHttpBindin g>
<binding name="wsHttpBin dingConfig" >
<security mode="Message">
<message clientCredentia lType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehavio rs>
<behavior name="HSMembers Service.HSMembe rsServiceBehavi or">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint
above before deployment -->
<serviceMetadat a httpGetEnabled= "True"/>
<serviceAuthori zation principalPermis sionMode="UseWi ndowsGroups"
/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptio nDetailInFaults ="True" /><!-- Change
this before deployment -->
</behavior>
</serviceBehavior s>
</behaviors>
</system.serviceM odel>
Here is a snippet from the class implementation of the service operation
with the AD role adornment:
[PrincipalPermis sion(SecurityAc tion.Demand, Role="IVRClient Service")]
public Member GetMember(strin g MemberId)
{
...
}
service in IIS on Windows Server 2003. The service works fine with the WCF
test client in Visual Studio 2008 and from an ASP.Net client hosted on my
development machine in VS2008. As soon as I deploy the ASP.net client to the
"Same" IIS server, I get Access Denied messages.
My goal is to use AD security groups so the authenticated user on the
ASP.net page should be in the group to access the service. I have validated
all of this is true.
Please Help. I have spent way too much time on this and just can't find the
problem.
Here are the relevant artifacts:
Error Message from IIS when attempting to make call to service
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details:
System.ServiceM odel.Security.S ecurityAccessDe niedException: Access is denied.
Source Error:
Line 260:
Line 261: public HSMembersServic e.Member GetMember(strin g MemberId) {
Line 262: return base.Channel.Ge tMember(MemberI d);
Line 263: }
Line 264:
Client Services portion of web.config
<system.service Model>
<bindings>
<wsHttpBindin g>
<binding name="WSHttpBin ding_IHSMembers Service" closeTimeout="0 0:01:00"
openTimeout="00 :01:00" receiveTimeout= "00:10:00" sendTimeout="00 :01:00"
bypassProxyOnLo cal="false" transactionFlow ="false"
hostNameCompari sonMode="Strong Wildcard"
maxBufferPoolSi ze="524288" maxReceivedMess ageSize="65536"
messageEncoding ="Text"
textEncoding="u tf-8" useDefaultWebPr oxy="true" allowCookies="f alse">
<readerQuotas maxDepth="32" maxStringConten tLength="8192"
maxArrayLength= "16384"
maxBytesPerRead ="4096" maxNameTableCha rCount="16384" />
<reliableSessio n ordered="true" inactivityTimeo ut="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentia lType="Windows" proxyCredential Type="None"
realm="" />
<message clientCredentia lType="Windows"
negotiateServic eCredential="tr ue"
algorithmSuite= "Default" establishSecuri tyContext="true " />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint
address="http://HOSTNAMECHANGED FORSECURITYPURP OSES/MembershipServi ce/HSMembersServic e.svc"
binding="wsHttp Binding"
bindingConfigur ation="WSHttpBi nding_IHSMember sService"
contract="HSMem bersService.IHS MembersService"
name="WSHttpBin ding_IHSMembers Service">
<identity>
<servicePrincip alName value="host/HOSTNAMECHANGED FORSECURITYPURP OSES" />
</identity>
</endpoint>
</client>
</system.serviceM odel>
Relevant Service portion of web.config
<system.service Model>
<services>
<service name="HSMembers Service.HSMembe rsService"
behaviorConfigu ration="HSMembe rsService.HSMem bersServiceBeha vior">
<!-- <host>
<baseAddresse s>
<add baseAddress =
"http://localhost:8731/Design_Time_Add resses/HSMembersServic e/HSMembersServic e/" />
</baseAddresses>
</host>-->
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address
supplied above -->
<endpoint address ="" binding="wsHttp Binding"
contract="HSMem bersService.IHS MembersService"
bindingConfigur ation="wsHttpBi ndingConfig">
<!--
Upon deployment, the following identity element should be
removed or replaced to reflect the
identity under which the deployed service runs. If removed,
WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhos t"/>
</identity>-->
</endpoint>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to
describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be
secured or removed before deployment -->
<endpoint address="mex" binding="mexHtt pBinding"
contract="IMeta dataExchange"/>
</service>
</services>
<bindings>
<wsHttpBindin g>
<binding name="wsHttpBin dingConfig" >
<security mode="Message">
<message clientCredentia lType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehavio rs>
<behavior name="HSMembers Service.HSMembe rsServiceBehavi or">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint
above before deployment -->
<serviceMetadat a httpGetEnabled= "True"/>
<serviceAuthori zation principalPermis sionMode="UseWi ndowsGroups"
/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptio nDetailInFaults ="True" /><!-- Change
this before deployment -->
</behavior>
</serviceBehavior s>
</behaviors>
</system.serviceM odel>
Here is a snippet from the class implementation of the service operation
with the AD role adornment:
[PrincipalPermis sion(SecurityAc tion.Demand, Role="IVRClient Service")]
public Member GetMember(strin g MemberId)
{
...
}
Comment