WCF and ASP.Net wsHTTPBinding Access Denied

Here is my scenario for a problem I can't solve. I am hosting a 3.5 WCF
service in IIS on Windows Server 2003. The service works fine with the WCF
test client in Visual Studio 2008 and from an ASP.Net client hosted on my
development machine in VS2008. As soon as I deploy the ASP.net client to the
"Same" IIS server, I get Access Denied messages.

My goal is to use AD security groups so the authenticated user on the
ASP.net page should be in the group to access the service. I have validated
all of this is true.

Please Help. I have spent way too much time on this and just can't find the
problem.

Here are the relevant artifacts:

Error Message from IIS when attempting to make call to service

Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details:
System.ServiceModel.Security.SecurityAccessDeniedE xception: Access is denied.

Source Error:

Line 260:
Line 261: public HSMembersService.Member GetMember(string MemberId) {
Line 262: return base.Channel.GetMember(MemberId);
Line 263: }
Line 264:

Client Services portion of web.config

<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IHSMembersService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint
address="http://HOSTNAMECHANGEDFORSECURITYPURPOSES/MembershipService/HSMembersService.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IHSMembersServ ice"
contract="HSMembersService.IHSMembersService"
name="WSHttpBinding_IHSMembersService">
<identity>
<servicePrincipalName value="host/HOSTNAMECHANGEDFORSECURITYPURPOSES" />
</identity>
</endpoint>
</client>
</system.serviceModel>

Relevant Service portion of web.config

<system.serviceModel>
<services>
<service name="HSMembersService.HSMembersService"
behaviorConfiguration="HSMembersService.HSMembersS erviceBehavior">
<!-- <host>
<baseAddresses>
<add baseAddress =
"http://localhost:8731/Design_Time_Addresses/HSMembersService/HSMembersService/" />
</baseAddresses>
</host>-->
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address
supplied above -->
<endpoint address ="" binding="wsHttpBinding"
contract="HSMembersService.IHSMembersService"
bindingConfiguration="wsHttpBindingConfig">
<!--
Upon deployment, the following identity element should be
removed or replaced to reflect the
identity under which the deployed service runs. If removed,
WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhost"/>
</identity>-->
</endpoint>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to
describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be
secured or removed before deployment -->
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConfig" >
<security mode="Message">
<message clientCredentialType="Windows" />
</security>

</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HSMembersService.HSMembersServiceBehavior">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint
above before deployment -->
<serviceMetadata httpGetEnabled="True"/>

<serviceAuthorization principalPermissionMode="UseWindowsGroups"
/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="True" /><!-- Change
this before deployment -->
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>

Here is a snippet from the class implementation of the service operation
with the AD role adornment:

[PrincipalPermission(SecurityAction.Demand, Role="IVRClientService")]
public Member GetMember(string MemberId)
{
...
}

re: WCF and ASP.Net wsHTTPBinding Access Denied

"Eddie" <Eddie@discussions.microsoft.comwrote in message
news:78C1D997-0CD4-4641-9610-866EFD7D8D47@microsoft.com...
I could be off, but wouldn't you also have to consider the permission
rights of the ASP.Net worker process? The ASP.Net worker process thread is
the thread that's hosting the ASP.NET solution on IIS, and it's the process
that's hosting the WCF solution on IIS.

This links may help you.

http://www.codeproject.com/KB/web-se...ASPNET_WP.aspx

<identityWeb.config section

The <identityWeb.config section defines what identity (Windows account) to
use when accessing the ASP.NET application. Here is the generic syntax of
the <identitysection of the Web.config:

<identity impersonate="true|false" userName="username" password="password"/>

Impersonation is the concept whereby an application executes under the
context of the identity of the client that is accessing the application.
This is achieved by using the access token provided by IIS.

By default the ASPNET Windows account is used to access ASP.NET resources
through the Aspnet_wp.exe process. This account is less powerful, compared
to the IUSR_ machinename guest Internet account used by classic ASP for
example. In certain situations you might want to use the anonymous IUSR_
machinename account, as the account accessing your ASP.NET application and
you can do that by using the following code in your Web.config file:

http://www.codeproject.com/KB/web-se...ASPNET_WP.aspx

re: WCF and ASP.Net wsHTTPBinding Access Denied

Mr. Arnold, Thanks for the pointer. Just turning on impersonation i.e.
impersonation = true worked like a charm. Its amazing how long I've been
working on this and something so simple worked.

"Mr. Arnold" wrote: