I have one WCF service (self-hosted) running under network service account. Service client successfully use all methods hosted by the service. When I change service credentials from network service account to domain user account - service client not able to contact service (timeout expired and exception throws).
Can anyone help me properly configure service/client/domain account?
Thanks.
Are you sure the service actually started while running under your domain account? If you're not sure (I wouldn't be), try navigating to the service URL with a browser by putting the URL into the address bar and hitting enter. If the service is running, it should (if you have mex enabled) show you the WSDL page for the service.
One problem could be that your domain account does not have admin rights (isn't part of the administrators group) on the server where the web service is running. If that's the case, WCF service won't start under that user account since starting a WCF service reserves a port on teh machine, a task that only administrators can do.
Related
I'm using
WCF service (Windows authenticated and impersonation)
SQL Server (Windows authentication)
Console application (client)
All are in the same domain.
I'm consuming a Windows authenticated WCF service from a console application as the client. However, when I try to access SQL Server from the console application using the WCF service, I get an error:
Exception In Account Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
My scenario is: my WCF service and SQL Server are on one system (System A) and my console application (my client) is on another system (System B).
When my client from System B sends a request, it hits my service successfully, but when the service tries to access SQL Server
WCF service(Windows Authenticated and Impersonation)
Sql server(Windows Authentication)
Console Application(Client)
This scenario requires Kerberos constrained delegation. You cannot do this, you must enlist the help of a domain administrator to set it up for you. Read and follow How to Implement Kerberos Constrained Delegation with SQL Server.
Note that impersonation and delegation will flow the credentials of the original client (the console app) to the back end database, which means that you will need to grant SQL access to the actual users of your service, not to the WCF service account.
I think your connection to WCF service has no problem but the SQL Server own security system perceives the client as a user beyond security barrier(like firewall) because the client is really from outside, not the administrator of the machine.
Why don't you apply the common idea that SQL authentification mode and asymmetric Encryption of Web.Config of WCF?
If you have to face situations that clients connect to Server from outside, Encryption(Security) is strongly recommended.
I have desktop application(WPF) on clients side and WCF service on Cloud service connecting to Cloud SQL Server.
I have created a WCF service that is hosted using windows service.
The windows service is running under LocalSystem under services.msc
I only want to allow accept requests from my asp.net UI users who are part of dmain's user group?
Eventually we will have multiple UIs and I want to not write security checks code in the UI.
How do I check who is making the call so I could do something like:
if (incomingUserGroup != "GroupRequired)
{
throw NotAllowedException();
}
You can inspect the security credentials of the calling user through the OperationContext. This will be subject to your having made the service available on an endpoint using a secured binding such as netTcpBinding or WSHttpBinding.
OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Groups
I'm having a problem where i want to get the users windows login information sent to IIS then from there sent to a WCF service hosted in a console application and then that service uses the credentials to go to a database and retrieve results.
i'm looking for an example on the web that does EXACTLY this but for the life of me can't find one. I can find a million example that
1. Give general information about WCF, Windows Authentication, Delegation, impersonation etc..
1. Uses the credential to go to a WCF service hosted in IIS and then to the database
2. Uses the credentials to go straight to a WCF service and then to the database
But I can’t an example going first to a regular webpage in IIS, then to a WCF service hosted in a console app and then to the database
Can anyone find this specific scenario?
Can you get current user under IIS? write Login method in WCF and pass that data to WCF service, use sessions, and require that Login should be called first, after all close the session
I have a client app that calls a WCF service on a different server
in the service I print out the following:
1. ServiceSecurityContext.Current.WindowsIdentity.Name;
2. WindowsIdentity.GetCurrent().Name;
1 above gives me my windows login and 2 gives me the windows login that the server is logged in as
How can i change 2 so that it gives me my windows login (not the login of the server)? Is there a way to force it?
i want to do this because in the WCF service i need to call another service with my original windows login credentials
Check out these links about impersonating the caller's identity in a WCF service - that'll be what you have to do, basically:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services
Marc
I'm sure there's an elegant solution to the problem but I just can't get my head around it. I am trying to call a web service from within a Windows service. The web service is secured (using Windows authentication). The account that the windows service runs under does have the rights to call the web service but I can't figure out how to get those credentials and send them off to the web service. The web service is WCF and is hosted on the same machine (in IIS) as the windows service.
You should be able to use something like this:
var myService = new myThing.Service();
myService.Credentials = System.Net.CredentialCache.DefaultCredentials;
Have you tried enabling integrated authentication (NTLM) for IIS? In my view that should allow you to call web service if the windows service user account has rights to invoke the service. you need not explicitly extract credentials.