WCF windows authentication with IIS and Application Pool

Question

I have a WCF Server running on IIS 6 using a application pool with a custom identity

right now the I looked on the web for two days and I can't find the exact answer to my problem. I know there are a lot of similar ones outer there

On IIS6 the virtual directory has anonymous access disable and Integrated Windows authentication enabled. The service account is on the same domain as the machine. I will call it svcE. I added svcE to the IIS_WPG group.

Now, first issue is when I select that application pool with svcE to work on Virtual Directory, call it appDir, then when I navigate to appDir I get prompted for credentials but if I use the network service account I do not and verify that I am logged in as me.

What I want to do is have the service run under the account svE because it has access to the database, without putting that info in the WebConfig file.

I have a web service with the config file

<authentication mode="Windows"/>

<bindings>
        <basicHttpBinding>
            <binding name="default">
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows"/>
                </security>                  
            </binding>
        </basicHttpBinding>
    </bindings>

<endpoint address="" binding="basicHttpBinding" bindingConfiguration="default" contract="<removed>">
 <identity>
  <dns value="localhost" />
 </identity>
</endpoint>   

The Web config using the service has

<basicHttpBinding>
            <!-- Create one Binding for all three services, save space-->
            <binding name="BasicHttpBinding_PricingService" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="TransportCredentialOnly">
                    <transport clientCredentialType="Windows" proxyCredentialType="Windows"
                        realm="" />
                    <message clientCredentialType="UserName" algorithmSuite="Default" />
                </security>
            </binding>

        </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="<address>.svc"
            binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_PricingService"
            contract="<contract>" name="<name>" />

Ultimatly what I am trying to achieve is

Only Windows Authenticated people can call the service --> Then the service uses a serivce account to have all interaction with the database.

Note that if I skip the first part and add annon access then it works and called the database fine

Thank you for the help

Answer 1

如果要以特定帐户进行数据库调用，则可以模拟该帐户来进行通话：

using ( WindowsImpersonationContext contexts = (new WindowsIdentity("account").Impersonate()){ db.MakeCall(); }

Answer 2

如果仍然有人在这个问题上挣扎，那么您要做的就是在web.config上模拟您的服务帐户：

<identity impersonate="true" userName="domain\svcname" password="password"/>

Answer 3

It appears that your service is impersonating the user when the user connects with windows authentication.

When you use annonymous authentication, there is no impersonation therefore no problem.

When you use windows authentication and a domian account, that account is not marked as it can impersonate maybe that is why you get the login, network service has that right by default.

Try:

<authentication mode="Windows" impersonate="false"/>

Answer 4

I had the same problem.

I needed to give access to the c:\\inetpub\\wwwroot\\ folder.

I gave the 'DomainUsers' group read permission.