CODEWITHSUNDEEP
c#wcfiis
user1011394
user1011394

Reputation: 1666

WCF Active Directory Authorization - PrincipalPermission -> access denied

I try to secure my WCF service by an AD based logon system. I've created an AD group named "TestUsers". My user account is member of that group. The WCF Service is hosted in IIS.

But i always get the exception "SecurityAccessDeniedException".

My WCF Service looks like:

Web.Config

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
        <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>    
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>

</configuration>

IService1.cs (Service interface): Just one method:

string GetWelcomeMessage();

Service1.svc.cs:

public class Service1 : IService1
    {
        [PrincipalPermission(SecurityAction.Demand, Role = @"mydomain\TestUsers")]
        public string GetWelcomeMessage()
        {
            return "hello world";
        }
    }

Any ideas what's wrong???

Any help would be greatly appreciated.

Upvotes: 0

Views: 1752

Answers (1)

flayn
flayn

Reputation: 5322

Make sure that the account that runs the service that hosts IIS is permitted to perform security checks in the AD.

Also change

includeExceptionDetailInFaults="false"

to

includeExceptionDetailInFaults="true"

for now, this might help you analyze the problem.

Upvotes: 1

Related Questions