RE: WCF Proxy Server settings not working

Hi Steven,

Sorry for the late reply - I was out of the office the last few days.

I haven't tried this in our production environment yet, but I have little
doubt it will work, since this is just part of the overall solution, and with
the application pool settings set correctly, the w3wp.exe process is running
under the internet access user, not an anonymous or machine user.

I'm not sure what's going on with Identity Impersonate, but I tried this:

<system.web>
<identity impersonate="true" userName="domain\login" password="password"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>

in the "Research" service's web.config, and WindowsIdentity.GetCurrent()
still returned ASPNET. That leads me to believe that there's something more
going on here than just WCF, but I don't know what. I've used that before and
had luck ...

Regarding the processModel - changing that did work. I'll keep that set for
now since I need to test this, but if you can find any answers regarding
passing the credentials through to WCF, I'd greatly appreciate it.

Thanks!
Clint

""Steven Cheng"" wrote:

Thanks for your reply Clint,

For the production environment, even if you switch the Application Pool
identity, it still not work? Then, what's the account displayed if you use
WindowsIdentity.GetCurrent() to check it?

Also, on the XP box, It's also a bit unexpected that <identity
impersonate="true" userName="..." password="..."/> not work. I think by
using this setting, you'll get the custom account displayed via
WindowsIdentity.GetCurrent(), correct? If this is the case, I think there
is likely to be some thing specfic to WCF client transport channel's
implementation on acquiring the security credential for proxy. Currently
I'm also forwarding this issue to some other WCF engineers for more ideas
on this. I'll let you know if I get any update on this.

BTW, since on your xp machine, it used to display MACHINE\ASPNET account,
at least this indicate that it is using the xp/iis5's default worker
process account. If possible, you can try switching the <processModel>
element for testing to verify the behavior.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
References: <FAF4E578-3A44-4B50-8954-C8FBDAE4BDC0@xxxxxxxxxxxxx>
<8r4#2l5IJHA.4172@xxxxxxxxxxxxxxxxxxxxxx>
<9850CED2-CF29-420D-B2F5-FEBB43B0A883@xxxxxxxxxxxxx>
<fOTIPEFJJHA.3764@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: WCF Proxy Server settings not working
Date: Thu, 2 Oct 2008 07:36:01 -0700


I do have a few additional questions - sorry!

I had changed the anonymous user to a privileged user (this is on my
development workstation, not for public use - we're on Windows 2003 in
production, and would go down the Application Pool route you described) to
have the request for that site run as that user. That wasn't successful
anyway, so I changed it back to the PC's anonymous user.

As for processModel, I'd like to shy away from changing my machine.config
file, so I tried setting <identity impersonate="true" userName="..."
password="..."/> and, thinking that would make a difference, tried running
the project. Still no luck. Why wouldn't this work? Doesn't this force the
project to run under the context of whatever's in the identity element?

Also, why is it that I can make this work via a regular Web Service
reference, but not through a Service Reference? In a web reference, I can
set
client credentials and proxy information through code, but not through a
WCF
service (that I can see). Is there a way to do this that I'm missing?

Thanks again!


""Steven Cheng"" wrote:

Thanks for your reply Clint,

Based on your further descrpition, we can get that it is in the #1
approach("Research" service), the running security account is not the
correct one, that cause the proxy authentication failed.

Why are you changing the "anonymous user account" in IIS? Anonymous user
just represent the account that will be associated with each
request(when
anonymous is enabled in IIS). However, for ASP.NET application(host
webservice or WCF), if you haven't do impersonate on the application or
each thread(by web.config or programmatically), that account won't
affect
the security context of your ASP.NET web application. Also, from IIS
security perspective, it is always not good idea to set "anonymous
account"
to a privileged one.

For your scenario, since you are using IIS5/XP, I think you should try
changing the worker process account of your ASP.NET web application.
That
can be done by the <processModel> element in machine .config file. Here
are
some reference articles which explains this:

#Process and request identity in ASP.NET
http://support.microsoft.com/kb/317012

#processModel Element (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/7w2sway1.aspx

Assign an account which is valid to the remote proxy server in the
username/password attributes of the <processModel> element:

this is different from IIS6(Where you can use ApplicationPool to specify
the process account you want to use).

If there is anything unclear, please feel free to let me know.




.

Relevant Pages

  • Re: Win32 security limitations: why?
    ... Impersonation allows a process to run with the credentials ... the Iwam account, for support of the anonymous users. ... this allows the anonymous user to have a process with a higher security ... Microsoft MVP (Windows Security) ...
    (microsoft.public.security)
  • Re: FTP permissions with IIS
    ... >this account ... >the anonymous user will not be able to cd to it. ... but I want to be able to set different permissions ... >> virtual directory shareddocs ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IIS Woes
    ... do u have an anonymous user account created on the machine itself? ... >> ASP.NET installation also went well. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Digest Authentication
    ... >The server was unable to add the virtual root '/webconfig' for the ... >>the current password for that account. ... >>f) restart IIS ... >>IIS should now pick up the password for the configured anonymous user ...
    (microsoft.public.inetserver.iis)
  • RE: WCF on 2 machines
    ... For the "enable Guest Account", I'm not sure what's the exact problem ... However, based on my WCF using experience, ... For WCF security related configuration and schema, ...
    (microsoft.public.vsnet.general)
Loading