none
Help - Pulling my hair out RRS feed

  • Question

  • Hi folks

    I am having trouble getting my users security credentials down to my WCF service (so that I can record who has done what), which means the WCF service won't play!

    Here is my situation:

    I have an ASP.NET MVC app running on IIS7.5 on Server1.

    I have a self-hosted WCF service running on Server2.

    I browse to the site (which is internal on my domain) - IIS knows who I am - I can see my user name when I put some debug info on the page. However, I can't seem to work out the right combination of settings I need to get my credentials to WCF. If I turn identity impersonation on in the MVC app, then I get an error saying "SecurityTokenValidationException: The service does not allow you to log on anonymously". If I turn it off then the call reaches the service but it thinks the user is anonymous.

    I have Windows Authentication enabled with NTLM and Negotiate on the MVC site.

    Does anyone have an answer to this problem? 

    Would be most grateful.

    Wednesday, July 31, 2013 4:30 AM

Answers

  • Here is the approach I have ended up taking... not sure if it is the best but it works...

    I have added a custom header to the message by using IDispatchMessageInspector. The custom header has the user credentials. This way I don't need to pass this down through parameters in every method. On the server side I can still allow anonymous access, and still get the user credentials from the message header.

    It seems to work ok...

    Friday, August 2, 2013 1:02 PM

All replies

  • In my opinion, and I am sure there are lots of other opinions out there, but I would authenticate using NTLM with Server 1; capture the credentials of the current user and then forward those on in either a custom Soap header or the content of the message body.  The communication between Server1 and Server2 is usually by the identify of the app pool. 


    Jeff

    Wednesday, July 31, 2013 10:02 PM
  • Hi Jeff. Thanks for the reply. I was kind of hoping that there is something built in to WCF/IIS to do this for me. The thing that strikes me is that I don't think what I am trying to do is too unusual. I can't understand why server 1 doesn't automatically pass on the credentials anyway as it already knows who the user is, and is running under that context. If I move the WCF service onto the same machine then it does pass the credentials to the service.

    However, thanks for the suggestion - I will look into that...

    Wednesday, July 31, 2013 10:12 PM
  • Hi Stygen. Thanks for the reply.

    I've read the links and I don't think this will address my problem.... I have managed to get authentication to work if the WCF and MVC are on the same server - so I am happy with that side of things. The problem only occurs when the WCF is on a second server, and for some reason the first server isn't passing the credentials on.

    Regards

    Wednesday, July 31, 2013 10:15 PM
  • Hello Buck,

    Based on your post and responses, I agree with you; looks like you are almost there and it is most likely a server setting getting in the way that is preventing this type of authentication forwarding.  I will ask some other devs to see if anyone has a suggestion.  Please post what solution you come up with!

    Cheers


    Jeff

    Wednesday, July 31, 2013 10:22 PM
  • Many thanks for your help! I will certainly post the solution once I find it as it seems to be a problem for quite a few people!
    Wednesday, July 31, 2013 10:29 PM
  • Here is the approach I have ended up taking... not sure if it is the best but it works...

    I have added a custom header to the message by using IDispatchMessageInspector. The custom header has the user credentials. This way I don't need to pass this down through parameters in every method. On the server side I can still allow anonymous access, and still get the user credentials from the message header.

    It seems to work ok...

    Friday, August 2, 2013 1:02 PM