none
Process identity for IIS-hosted WCF service

    Question

  • Hi,

    I've written a basic WCF service that should connect to a SQL Server database using integrated security. The callers to the service should be authenticated (i.e. I cannot use anonymous), but should not have permission to connect to the database. The WCF service is hosted on IIS 7.5.

    I'm completely confused by the documentation I've been able to find; it seems impossible to find anything comprehensive that shows how it all hangs together. Am I supposed to configure this in IIS 7.5, or in the web.config file, or both? Is there even a difference?!? (For all I know, IIS configuration may do nothing more than edit .net configuration files behind the scenes.)

    It also seems the term "identity" in a WCF context refers more often (but not always) to a separate concept (to let clients authenticate the service) than to the process identity the service runs under at run-time.

    On a side note, the WCF service was made with VS-2008, and to me the web.config file seems strange as well - it looks like a config file for the deprecated asmx technology. There is however nothing I can do about that; just mentioning it in case it has implications for how to solve the problem.

    I've created a new application pool and set the identity to a user that does have permission to connect to the SQL database. (And this works fine in an NT service that runs under the same identity.) I've enabled both Windows and Anonymous authentication, but it still fails. I will need to disable anonymous access, permit only one specific caller, but run as a different identity in order to connect to the database. To my mind, this doesn't necessarily imply impersonation (which I think of as temporarily using an impersonation process token; I want the app pool to always run under it's own identity, but still authenticate callers and authorize only one), but I'm not sure IIS 7.5 can do this without impersonating.

    Given that these sort of requirements are simply ubiquitous in the business world, you'd think it was a simple matter of using INETMGR to configure the identity you'd like to use, inputting user name and password, and similarly for the identities you want to authorize. But... according to

    http://geekswithblogs.net/manesh/archive/2009/04/23/setting-up-wcf-to-impersonate-client-credentials.aspx

    it is apparently rather involved. Is it really this complex!? As mentioned, I think what I'm trying to do ought to be possible without actually having to impersonate, but even if I needed to, why should it be a 50 step process that even includes changing the client? This to me doesn't look good.

    I'm sorry that this doesn't amount to a coherent question. But this is unavoidable since I am unable to find out how this all works. I am a programmer, not an infrastructure specialist, and I have no desire to spend weeks studying all the plentiful possible deployment options.

    If I can provide any additional information to help solve this, let me know.

    Friday, November 25, 2011 11:21 AM

Answers

  • "I've written a basic WCF service that should #1 connect to a SQL Server database using integrated security. #2 The callers to the service should be authenticated (i.e. I cannot use anonymous), #3 but should not have permission to connect to the database. The WCF service is hosted on IIS 7.5."

     

    #1 Create an Application Pool with identity set to credential that has access to the database.

    #2 Using windows authentication -> http://randypaulo.wordpress.com/2011/07/13/wcf-using-windows-authentication-and-sqlroleprovider-over-basichttp/

    #3 In System.web add:

    <system.web>
           <identity impersonate="false" />
      </system.web>

    So when the service tries to connection to database it will use the credentials of the Application Pool and not the caller.

    Note: Using windows authentication it allows any user with valid windows account access to the service. Using SQL Role Provider  + Security Demand (Authorization) checks whether the user has necessary rights/groups to call the specific operation.

     


    Randy Aldrich Paulo

    MCTS(BizTalk 2010/2006,WCF NET4.0), MCPD | My Blog


    BizTalk Message Archiving - SQL and File

    Friday, November 25, 2011 11:46 AM

All replies

  • "I've written a basic WCF service that should #1 connect to a SQL Server database using integrated security. #2 The callers to the service should be authenticated (i.e. I cannot use anonymous), #3 but should not have permission to connect to the database. The WCF service is hosted on IIS 7.5."

     

    #1 Create an Application Pool with identity set to credential that has access to the database.

    #2 Using windows authentication -> http://randypaulo.wordpress.com/2011/07/13/wcf-using-windows-authentication-and-sqlroleprovider-over-basichttp/

    #3 In System.web add:

    <system.web>
           <identity impersonate="false" />
      </system.web>

    So when the service tries to connection to database it will use the credentials of the Application Pool and not the caller.

    Note: Using windows authentication it allows any user with valid windows account access to the service. Using SQL Role Provider  + Security Demand (Authorization) checks whether the user has necessary rights/groups to call the specific operation.

     


    Randy Aldrich Paulo

    MCTS(BizTalk 2010/2006,WCF NET4.0), MCPD | My Blog


    BizTalk Message Archiving - SQL and File

    Friday, November 25, 2011 11:46 AM
  • Thank you for your reply, I will try now.

    I find it odd that IIS mixes up authentication and authorization. Just because I want to authenticate based on the windows identity of the calling process shouldn't have to mean I want to authorize the entire directory... After all, merely establishing identity is quite different from deciding who should be allowed.

    Unfortunately I don't know how these things work "under the hood", but ASP.NET does have configurable authorization. Couldn't I use this so IIS takes care of establishing who's calling, and then ASP.NET ensures only my indented caller gets through to any actual service operations? I suppose WCF, at least in the IIS hosting context, is still using some "old" asp.net bits and pieces, or else this web.config wouldn't look the way it does...

    But now, off to try out your tips. Thanks again!

     

    Friday, November 25, 2011 12:48 PM