in

 

Jimmy Bogard

Assistant to the assistant to the regional manager

Trusted Subsystem, WCF and IIS

I've just about pulled my hair out on this one.  This used to be very easy with ASMX:

Basically, I have IIS running as a trusted user, "Service".  I want WCF to run as this user for connecting to databases, etc.  I don't care who's calling me, I'm in an intranet environment, and this service is open to the world.  Unfortunately, all I can ever get is "user not associated with a trusted connection", no matter what I do.  I suspect it's due to a network hop issue, or something similar.  I can get it to work by flowing identity down, but I don't want to do that, it's not Trusted Subsystem.

I've spent about a day on two separate occasions trying to get this to work, but all examples seem to force me to set the service account on the ASP.NET side.  But I don't want to force clients to do any kind of security, that defeats the purpose.

The quickest way to Trusted Subsystem now is to use SQL Server authentication.  With ASMX, I used ASP.NET configuration, along with IIS security configuration to set the identity, and it worked just fine.  WCF works outside the ASP.NET stack, so I don't have that luxury.  Security in WCF is tough, kids, don't let anyone tell you any different.

Boo.

Published Jul 30 2008, 10:43 PM by bogardj
Filed under:

Comments

 

Database Management » Blog Archive » Trusted Subsystem, WCF and IIS said:

Pingback from  Database Management  » Blog Archive   » Trusted Subsystem, WCF and IIS

July 30, 2008 11:55 PM
 

Tobias Hertkorn said:

The trick is to host the wcf service in a dedicated apppool that runs under the user you want to use to authenticate against the sql database.

More info:

www.codeplex.com/.../View.aspx

July 31, 2008 2:16 AM
 

bogardj said:

@Tobias

Hmm, my fear now is that I've been doing this in WinXP.  Maybe IIS6/7 is different, what with the AppPools and all.

I did set the IIS process identity in IIS5, and that didn't do the trick.

July 31, 2008 7:32 AM
 

Dan said:

I hope I'm not being insulting and giving you obvious paths but...

If I understand the post right, I think Tobias is on the right track. Assuming you want the "who cares" credential to be the person trying to use the service, I'd look at using Constrained Delegation and trust the service account your running your AppPool under to delegate credentials to that service. With constrained delegation you must specify the services that the trusted account will be used to access. There are some things that can get in your way like local security policies, your domain functioning level, and version of IIS. I'm also assuming you've toggled the ASP.Net 'identity impersonate configuration setting.

Good Luck!

July 31, 2008 10:28 AM
 

jdn said:

Wild stab, but is it the kerberos thing?

support.microsoft.com/.../810572

That's always been the case when I get the user(null)/not associated with trusted connections error.

July 31, 2008 10:48 AM
 

bogardj said:

@Everyone

Got the problem fixed, thanks to some twitter help and the comments here.  I'm doing a follow up to explain the solution.

July 31, 2008 7:33 PM

Leave a Comment

(required)  
(optional)
(required)  

Enter the numbers above:
Add

About bogardj

I'm a senior consultant with Headspring Systems in Austin, TX. My focus is using .NET technologies together with Agile methodologies. Back in 2005, I drank the Agile punch and haven't looked at a waterfall the same since.
Copyright Los Techies 2007. All rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems