Here is my scenario for a problem I can't solve. I am hosting a 3.5 WCF
service in IIS on Windows Server 2003. The service works fine with the WCF
test client in Visual Studio 2008 and from an ASP.Net client hosted on my
development machine in VS2008. As soon as I deploy the ASP.net client to the
"Same" IIS server, I get Access Denied messages.
My goal is to use AD security groups so the authenticated user on the
ASP.net page should be in the group to access the service. I have validated
all of this is true.
Please Help. I have spent way too much time on this and just can't find the
problem.
Here are the relevant artifacts:
Error Message from IIS when attempting to make call to service
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details:
System.ServiceModel.Security.SecurityAccessDeniedE xception: Access is denied.
Source Error:
Line 260:
Line 261: public HSMembersService.Member GetMember(string MemberId) {
Line 262: return base.Channel.GetMember(MemberId);
Line 263: }
Line 264:
Client Services portion of web.config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IHSMembersService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint
address="http://HOSTNAMECHANGEDFORSECURITYPURPOSES/MembershipService/HSMembersService.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IHSMembersServ ice"
contract="HSMembersService.IHSMembersService"
name="WSHttpBinding_IHSMembersService">
<identity>
<servicePrincipalName value="host/HOSTNAMECHANGEDFORSECURITYPURPOSES" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Relevant Service portion of web.config
<system.serviceModel>
<services>
<service name="HSMembersService.HSMembersService"
behaviorConfiguration="HSMembersService.HSMembersS erviceBehavior">
<!-- <host>
<baseAddresses>
<add baseAddress =
"http://localhost:8731/Design_Time_Addresses/HSMembersService/HSMembersService/" />
</baseAddresses>
</host>-->
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address
supplied above -->
<endpoint address ="" binding="wsHttpBinding"
contract="HSMembersService.IHSMembersService"
bindingConfiguration="wsHttpBindingConfig">
<!--
Upon deployment, the following identity element should be
removed or replaced to reflect the
identity under which the deployed service runs. If removed,
WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhost"/>
</identity>-->
</endpoint>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to
describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be
secured or removed before deployment -->
<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConfig" >
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HSMembersService.HSMembersServiceBehavior">
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint
above before deployment -->
<serviceMetadata httpGetEnabled="True"/>
<serviceAuthorization principalPermissionMode="UseWindowsGroups"
/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="True" /><!-- Change
this before deployment -->
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Here is a snippet from the class implementation of the service operation
with the AD role adornment:
[PrincipalPermission(SecurityAction.Demand, Role="IVRClientService")]
public Member GetMember(string MemberId)
{
...
}