How to manage workflow service from ASP.NET using net.pipe binding

Question

I'm trying to manage my workflow service that hosted on AppFabric through the standard named pipe endpoint. I successfully can do this from the console application, but when try to do the same from ASP.NET I get "Access is denied" exception.

I understand that it's the security configuration problem that should be resolved somehow in web.config but I have no idea how...

Here is the code that I use:

NetNamedPipeBinding binding = new NetNamedPipeBinding();
EndpointAddress addr = new EndpointAddress("net.pipe://localhost/ServiceLibrary/LongRunningService.xamlx/System.ServiceModel.Activities_IWorkflowInstanceManagement");

try
{
    var proxy = new WorkflowControlClient(binding, addr);
    Guid instanceId = new Guid("<<SOME WORKFLOW INSTANCE ID>>");
    proxy.Suspend(instanceId);
}
catch (Exception ex)
{
}

UPDATE: in theory it possible to register endpoints (either http or net.pipe) in web.config with no security. In this case looks like everything is working... but I don't want to do this for every service registered on the site. I think there should be some way to connect to already registered net.pipe endpoint. Here is the web config with explicit endpoint registration (http, net.pipe):

<behaviors>
  <serviceBehaviors>
    <behavior>
      <remove name="serviceCredentials" />
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <sqlWorkflowInstanceStore instanceCompletionAction="DeleteNothing" instanceEncodingOption="None" instanceLockedExceptionAction="NoRetry" connectionStringName="ApplicationServerWorkflowInstanceStoreConnectionString" hostLockRenewalPeriod="00:00:30" runnableInstancesDetectionPeriod="00:00:05" />
      <workflowInstanceManagement authorizedWindowsGroup="" />
      <workflowUnhandledException action="AbandonAndSuspend" />
      <workflowIdle timeToPersist="00:00:30" timeToUnload="00:01:00" />
      <etwTracking profileName="Troubleshooting Tracking Profile" />
    </behavior>
    <behavior name="StnandardBehavior">
      <remove name="serviceCredentials" />
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <sqlWorkflowInstanceStore instanceCompletionAction="DeleteNothing" instanceEncodingOption="None" instanceLockedExceptionAction="NoRetry" connectionStringName="ApplicationServerWorkflowInstanceStoreConnectionString" hostLockRenewalPeriod="00:00:30" runnableInstancesDetectionPeriod="00:00:05" />
      <workflowInstanceManagement authorizedWindowsGroup="" />
      <workflowUnhandledException action="AbandonAndSuspend" />
      <workflowIdle timeToPersist="00:00:30" timeToUnload="00:01:00" />
      <etwTracking profileName="Troubleshooting Tracking Profile" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <basicHttpBinding>
    <binding name="httpSecurityOff" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
      <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="None">
        <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
        <message clientCredentialType="UserName" algorithmSuite="Default" />
      </security>
    </binding>
  </basicHttpBinding>
  <netNamedPipeBinding>
    <binding name="pipeSecurityOff" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" maxConnections="10" maxReceivedMessageSize="65536">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <security mode="None">
        <transport protectionLevel="None" />
      </security>
    </binding>
  </netNamedPipeBinding>
</bindings>
<services>
  <service name="LongRunningService" behaviorConfiguration="StnandardBehavior">
    <endpoint address="wce" contract="System.ServiceModel.Activities.IWorkflowInstanceManagement" binding="basicHttpBinding" bindingConfiguration="httpSecurityOff" kind="workflowControlEndpoint" />
    <endpoint address="wce" contract="System.ServiceModel.Activities.IWorkflowInstanceManagement" binding="netNamedPipeBinding" bindingConfiguration="pipeSecurityOff" kind="workflowControlEndpoint" />
    <endpoint contract="ILongRunningService" binding="basicHttpBinding" bindingConfiguration="httpSecurityOff" />
  </service>
</services>

and in this case client code for connection to this new endpoint should be a little be other:

    NetNamedPipeBinding binding = new NetNamedPipeBinding();
    binding.Security.Mode = NetNamedPipeSecurityMode.None;
    EndpointAddress addr = new EndpointAddress("net.pipe://{{MACHINE_NAME}}/ServiceLibrary/LongRunningService.xamlx/wce");

    try
    {
        var proxy = new WorkflowControlClient(binding, addr);
        Guid instanceId = new Guid(workflowInstanceId.Value);
        proxy.Suspend(instanceId);
        proxy.Close();
    }
    catch (Exception ex)
    {
    }

Answer 1

Try putting Workflow ApplicationPool user in the user group "AS_Administrators". IIS reset is needed to reload security changes.

Answer 2

You can turn of security to see if you have an issue with ASP.NET app pool identity ACLs:

NetNamedPipeBinding nnpb = new NetNamedPipeBinding();
nnpb.Security.Mode = NetNamedPipeSecurityMode.None;

Answer 3

Have you edited your allowed website/virtual directory bindings for your application in IIS? You need to add net.pipe as an allowed protocol binding.