I have a basic WCF service using basicHttpBinding. I have my site project and my services project. In my site project, I have a regular Services Reference to a service in my services project. In my development environment, it works fine. However, in our staging environment, we have enabled impersonation on the services application. This service connects to a SQL database using this user, of course.
The issue is, while the other ASMX services seem to impersonate just fine with the user defined in the web.config, the WCF service is still running as the site's user, causing SQL authentication to fail.
Are there extra steps to enable impersonation for my WCF service? I have not done anything special beside adding:
service.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
After I initialize my service proxy from my website. Thoughts? Thanks.
If you mean ASP.NET impersonation account configured in web.config it doesn't work with WCF unless you turn on AspNetCompatibility. WCF doesn't offer any such configuration.
Related
I have recently encrypted our .NET web config files for our ASPX web applications using RSA encryption.
It works fine for our web applications.
However, its not working in our WCF Services, the calling apps get a server error, looking through the stacktrace I think its related to the RSA key not being able to be opened.
We allowed access to the key on the servers to IIS_IUSRS and NT AUTHORITY\NETWORK SERVICE.
We have a web app, and a WCF service both under the same app pools, the web app seems fine, the WCF service seems to throw an error.
Does anyone know if additional users/app pools need access to the key - specially when running as a WCF service? I have been told individual app pools do not need access and the IIS_IUSERS access should be enough when these components are running in IIS.
Any thoughts/help much appreciated.
I have created a web service using ASP .Net. My web service contains a web config file, which stores security information of our Microsoft Dynamics Axapta AOS server, username and password for Axapta authentication.
My web service calls a Dynamics Axapta web service and exchanges some data. I have deployed my ASP .Net web service to IIS 7.0 which is located in DMZ zone. Now i have to give web service address to a payment service. This payment service should only know the web service address and the methods of this web service. This is my first time, i am developing such a service stored in IIS:
My question is:
How i need to configure IIS? (Authentication)
Which security tips i need to follow?
What should i do, to make my web config file to be secure?
How i need to allow this payment service to my local server?
Any suggestions and explanation will be huge help to me, because i am newbie to this topic.
Thanks a lot, sincerely, Ilkin.
Your IIS Application Pool should run as custom account identity (like domain\svc-ax-payment-user). Then add this Active Directory user to AX users and grant / add it to role with access to required roles. In this scenario password is saved securely in IIS.
Another option is to encrypt password with machine key (eg. your IIS server is not trusted in AX domain).
aspnet_regiis.exe -pef "appSettings" C:\web_app_dir
Run this command as administrator.
Check How To: Encrypt Configuration Sections for more information.
You can also create your own Machine Key for your application. In this case your web.config is portable and not bound to one specific server.
I have various bits of functionality implemented in WCF web services which are currently consumed by an Excel client via a local COM-visible library. I wish to implement some of the front-end functionality in a web client. I set up my client proxy using
dataChannel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
ASP.NET impersonation is turned on as is windows authentication (no anonymous). When web services and web site are hosted on the same server there are no issues and the desktop user's credentials are passed from browser to web site to WCF perfectly. However, when web site and web services are hosted on different boxes (same domain, intranet only) I get 401 authentication errors. What am I doing wrong?
It sounds like you are suffering from the kerberos "double hop" problem. By default windows does not pass the kerberos authentication token onto another server so if you have user accesses webserver A and authenticates, webserver A accesses service on webserver B. WEbserver A does not pass the auithentication through to webserver B so you get a 401. I think this article should help you enable kerberos delegation between the web site server and the web service server
I'm having a problem where i want to get the users windows login information sent to IIS then from there sent to a WCF service hosted in a console application and then that service uses the credentials to go to a database and retrieve results.
i'm looking for an example on the web that does EXACTLY this but for the life of me can't find one. I can find a million example that
1. Give general information about WCF, Windows Authentication, Delegation, impersonation etc..
1. Uses the credential to go to a WCF service hosted in IIS and then to the database
2. Uses the credentials to go straight to a WCF service and then to the database
But I can’t an example going first to a regular webpage in IIS, then to a WCF service hosted in a console app and then to the database
Can anyone find this specific scenario?
Can you get current user under IIS? write Login method in WCF and pass that data to WCF service, use sessions, and require that Login should be called first, after all close the session
I'm sure there's an elegant solution to the problem but I just can't get my head around it. I am trying to call a web service from within a Windows service. The web service is secured (using Windows authentication). The account that the windows service runs under does have the rights to call the web service but I can't figure out how to get those credentials and send them off to the web service. The web service is WCF and is hosted on the same machine (in IIS) as the windows service.
You should be able to use something like this:
var myService = new myThing.Service();
myService.Credentials = System.Net.CredentialCache.DefaultCredentials;
Have you tried enabling integrated authentication (NTLM) for IIS? In my view that should allow you to call web service if the windows service user account has rights to invoke the service. you need not explicitly extract credentials.