Los Techies : Blogs about software and anything tech!
Jimmy Bogard » Trusted Subsystem, WCF and IIS

Trusted Subsystem, WCF and IIS


I've just about pulled my hair out on this one.  This used to be very easy with ASMX:

Basically, I have IIS running as a trusted user, "Service".  I want WCF to run as this user for connecting to databases, etc.  I don't care who's calling me, I'm in an intranet environment, and this service is open to the world.  Unfortunately, all I can ever get is "user not associated with a trusted connection", no matter what I do.  I suspect it's due to a network hop issue, or something similar.  I can get it to work by flowing identity down, but I don't want to do that, it's not Trusted Subsystem.

I've spent about a day on two separate occasions trying to get this to work, but all examples seem to force me to set the service account on the ASP.NET side.  But I don't want to force clients to do any kind of security, that defeats the purpose.

The quickest way to Trusted Subsystem now is to use SQL Server authentication.  With ASMX, I used ASP.NET configuration, along with IIS security configuration to set the identity, and it worked just fine.  WCF works outside the ASP.NET stack, so I don't have that luxury.  Security in WCF is tough, kids, don't let anyone tell you any different.

Boo.

Kick It on DotNetKicks.com
Posted Jul 30 2008, 10:43 PM by bogardj
Filed under:

Comments

Database Management » Blog Archive » Trusted Subsystem, WCF and IIS wrote Database Management » Blog Archive » Trusted Subsystem, WCF and IIS
on 07-30-2008 11:55 PM

Pingback from  Database Management  » Blog Archive   » Trusted Subsystem, WCF and IIS

Tobias Hertkorn wrote re: Trusted Subsystem, WCF and IIS
on 07-31-2008 2:16 AM

The trick is to host the wcf service in a dedicated apppool that runs under the user you want to use to authenticate against the sql database.

More info:

www.codeplex.com/.../View.aspx

bogardj wrote re: Trusted Subsystem, WCF and IIS
on 07-31-2008 7:32 AM

@Tobias

Hmm, my fear now is that I've been doing this in WinXP.  Maybe IIS6/7 is different, what with the AppPools and all.

I did set the IIS process identity in IIS5, and that didn't do the trick.

Dan wrote re: Trusted Subsystem, WCF and IIS
on 07-31-2008 10:28 AM

I hope I'm not being insulting and giving you obvious paths but...

If I understand the post right, I think Tobias is on the right track. Assuming you want the "who cares" credential to be the person trying to use the service, I'd look at using Constrained Delegation and trust the service account your running your AppPool under to delegate credentials to that service. With constrained delegation you must specify the services that the trusted account will be used to access. There are some things that can get in your way like local security policies, your domain functioning level, and version of IIS. I'm also assuming you've toggled the ASP.Net 'identity impersonate configuration setting.

Good Luck!

jdn wrote re: Trusted Subsystem, WCF and IIS
on 07-31-2008 10:48 AM

Wild stab, but is it the kerberos thing?

support.microsoft.com/.../810572

That's always been the case when I get the user(null)/not associated with trusted connections error.

bogardj wrote re: Trusted Subsystem, WCF and IIS
on 07-31-2008 7:33 PM

@Everyone

Got the problem fixed, thanks to some twitter help and the comments here.  I'm doing a follow up to explain the solution.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Enter the numbers above:
Copyright Los Techies 2008, 2009. All rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems