none
WCF IIS Hosted "Access Denied" with PrincipalPermission RRS feed

  • Question

  • Greetings Guys, 

    I am currently running into some issues with my WCF IIS hosted services

    When run locally every seem to work just fine, but when deployed all request return a big access denied.

    Lets say I have the following operation

            [PrincipalPermission(SecurityAction.Demand, Role = Security.IntranetUsers)]
            public Applications[] GetAllApplications()
            {
                return ExecuteFaultHandledOperation(() =>
                {
                    IApplicationsRepository applicationsRepository = _DataRepositoryFactory.GetDataRepository<IApplicationsRepository>();
    
                    IEnumerable<Applications> applicationEntities = applicationsRepository.Get();
    
                    return applicationEntities.ToArray();
                });
            }

    I m finding out that having the following line

    [PrincipalPermission(SecurityAction.Demand, Role = Security.IntranetUsers)]

    Is causing my operation to return "Access Denied" from any IIS hosted clients. But I run the client locally from my local machine it works.

    Currently my Service config looks like this 

    <system.serviceModel> 
    <bindings>
          <wsHttpBinding>
            <binding name="TransportSecurity">
              <security mode="Transport">
                <transport clientCredentialType="Windows" />
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
    
     <services>
          <service behaviorConfiguration="ServiceBehavior" name="intranet.business.managers.ApplicationsManager">
            <endpoint address="" binding="wsHttpBinding"
              bindingConfiguration="TransportSecurity"
              name="ApplicationWsHttpEndpoint"
              contract="intranet.business.contracts.IApplicationService">
            </endpoint>
      </service>
    </services>
    behaviors>
          <serviceBehaviors>
            <behavior name="ServiceBehavior">
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="True"/>
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceAuthorization principalPermissionMode="UseWindowsGroups"/>
              <serviceCredentials>
                <windowsAuthentication allowAnonymousLogons="False" includeWindowsGroups="True"/>
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    </system.serviceModel>

    And My client Config 

    <system.serviceModel>
        <bindings>
          <wsHttpBinding>
            <binding name="wsHttpEndpoint">
              <security mode="Transport">
                <transport clientCredentialType="Windows" />
              </security>
            </binding>
          </wsHttpBinding>
        </bindings>
    <client>
          <endpoint address="https://foo.bar/Applications.svc"
              binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint"
              contract="intranet.client.contracts.IApplicationService"
              name="ApplicationBasicWsEndpoint" >
          </endpoint>
    </client>
        <behaviors>
          <serviceBehaviors>
            <behavior>
              <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
      </system.serviceModel>

    And for both configs I have the following 

        <authentication mode="Windows"/>
        <authorization>
          <deny users="?"/>
        </authorization>

    Any Ideas why I m seeing this behavior

    Thursday, October 24, 2013 4:52 PM

Answers

  • You need to set the credentials in your client prior to calling the method on the WCF service.  What does your client look like?  Assuming you have a Service Reference in your client called MyApplication, you should have something like the following:

    using (MyApplication.ApplicationService proxy = new MyApplication.ApplicationService())
    {
        proxy.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
        // Calls to your service operations
    }
    

    There is a link here that describes how to handle calls to your service from a client.  Michele Leroux Bustamonte has included a number of links from her site in here, which I found incredibly helpful for setting up my WCF services. 

    Hope this helps!


    Christine A. Piffat

    Thursday, October 24, 2013 7:36 PM