Re: WCF and ASP.Net wsHTTPBinding Access Denied


"Eddie" <Eddie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:78C1D997-0CD4-4641-9610-866EFD7D8D47@xxxxxxxxxxxxxxxx
Here is my scenario for a problem I can't solve. I am hosting a 3.5 WCF
service in IIS on Windows Server 2003. The service works fine with the WCF
test client in Visual Studio 2008 and from an ASP.Net client hosted on my
development machine in VS2008. As soon as I deploy the ASP.net client to the
"Same" IIS server, I get Access Denied messages.

My goal is to use AD security groups so the authenticated user on the
ASP.net page should be in the group to access the service. I have validated
all of this is true.

Please Help. I have spent way too much time on this and just can't find the
problem.

Here are the relevant artifacts:

Error Message from IIS when attempting to make call to service

Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details:
System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.


I could be off, but wouldn't you also have to consider the permission rights of the ASP.Net worker process? The ASP.Net worker process thread is the thread that's hosting the ASP.NET solution on IIS, and it's the process that's hosting the WCF solution on IIS.

This links may help you.

http://www.codeproject.com/KB/web-security/Sec_Run_ASPNET_WP.aspx

<identity> Web.config section

The <identity> Web.config section defines what identity (Windows account) to use when accessing the ASP.NET application. Here is the generic syntax of the <identity> section of the Web.config:

<identity impersonate="true|false" userName="username" password="password"/>

Impersonation is the concept whereby an application executes under the context of the identity of the client that is accessing the application. This is achieved by using the access token provided by IIS.

By default the ASPNET Windows account is used to access ASP.NET resources through the Aspnet_wp.exe process. This account is less powerful, compared to the IUSR_ machinename guest Internet account used by classic ASP for example. In certain situations you might want to use the anonymous IUSR_ machinename account, as the account accessing your ASP.NET application and you can do that by using the following code in your Web.config file:

http://www.codeproject.com/KB/web-security/Sec_Run_ASPNET_WP.aspx


.

Relevant Pages

  • Re: Using EFS with Network Shares and SFU 3.5
    ... It does not take EFS into account. ... could again use the sharing server audit logs to see if success ... Read extended attribute and Read data, since the NFS client may ... Windows and *nix clients. ...
    (microsoft.public.windows.server.security)
  • Re: Cannot view SSI on IIS
    ... > We have a Windows 2000 Server running IIS. ... enable auditing on the server and then enable file ... How to set secure NTFS Permissions on IIS directories and log files - ... IWAM_computername account instead of the IUSR_computername account. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using one Username to login to TS
    ... The client purchased TS Device CALs ... user account until we found the problem. ... The biggest problem with this setup is profile corruption. ... Computer Configuration - Administrative templates - Windows ...
    (microsoft.public.windows.terminal_services)
  • Re: Active Directory Services cannot find the web server
    ... I am having the same problem with a windows xp pro with iis 5.1 ... incedently does not work properly when connecting to the server. ... both the client and server and still no luck. ...
    (microsoft.public.dotnet.faqs)
  • 401 if AppPool is not Network Service
    ... Windows 2003 Servers, IIS 6.0. ... Ping and PingAuth. ... account, in my test), then, even if I do not access any other resources ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast