Pass credentials from one wcf service to another wcf service - wcf-security

I have 2 wcf services both hosted on IIS on the same machine.
Service A is called by a client and uses BasicHttpBinding with transport security and NTLM credentialtype.
Service A needs to call service B which is also hosted on IIS but uses WsHttpBinding with transport security and NTLM credentialtype.
IIS is configured to use integrated windows authentication.
The first attempt I got a 403 forbidden message:
System.ServiceModel.Security.MessageSecurityException : The HTTP request was forbidden with client authentication scheme 'Ntlm'.
System.Net.WebException: The remote server returned an error: (403) Forbidden.
This is normal because when I make a call from service A to service B the identity of the application pool is used.
In my second attempt I tried to impersonate the call to service B but then the problem is all code in the operation is executed under the callers account. This account has no ACL permissions on the server and providing these permissions is not an option.
The following error is logged:
System.IO.FileLoadException : Could not load file or assembly 'System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
How could I solve this without changing security the ACL's or the application pool identity?

Check this out:
http://blogs.msdn.com/b/securitytools/archive/2009/11/04/double-hop-windows-authentication-with-iis-hosted-wcf-service.aspx.
Found the above link here:
http://go4answers.webhost4life.com/Example/calling-wcf-service-another-wcf-service-204170.aspx

Related

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''

When I try to access an HTTP REST API hosted on a site within my machine’s local IIS, I get this error message:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''."
Anonymous Authentication is enabled in the site’s IIS authentication settings, and the identity of the anonymous user is set to be that of the IUSR role. The IUSR role has read permissions on the underlying virtual directory associated with my IIS site, and I have also tried giving “Everyone” Full Control over the underlying connection virtual directory (see below). Both the virtual directory and the IIS site should have sufficient authentication allowed for anonymous access.
Project Properties - Security - Permissions
The exact same code used in this web project runs perfectly fine on a different computer, so I don’t believe the issue lies in the code.
Stack Trace (snippet):
at Autofac.Core.Resolving.InstanceLookup.Activate(IEnumerable`1 parameters)","InnerException":{"Message":"An error has occurred.","ExceptionMessage":"An exception was thrown while invoking the constructor 'Void .ctor(PIM.App.Infrastructure.Setttings.ISettingsProvider)' on type 'ServiceFactory'. ---> The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''. (See inner exception for details.)","ExceptionType":"Autofac.Core.DependencyResolutionException","StackTrace":"
at Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()\r\n
at Autofac.Core.Activators.Reflection.ReflectionActivator.ActivateInstance(IComponentContext context, IEnumerable`1 parameters)\r\n
at Autofac.Core.Resolving.InstanceLookup.Activate(IEnumerable`1 parameters)","InnerException":{"Message":"An error has occurred.","ExceptionMessage":"The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''.","ExceptionType":"System.ServiceModel.Security.MessageSecurityException","StackTrace":"\r\nServer stack trace: \r\n
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)\r\n
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)\r\n

Error hosting WCF on WAS

I am getting this error while hosting my WCF application on windows service. The service is hosted on a server and i want to access it over internet. So i gave it networkservice permission.
Service cannot be started. System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:8085/lupload/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(Tim...
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
NetworkService is actually a limited account, you need to go for LocalSystem which is the equivalent of an Administrator account. That'll solve your problem.

How to check what is the soap meesage passed to the server on click of a button? Fiddler?

I want to capture the SOAP request and actual response from the WebService.
Scenario : On click of a button in asp.net application I call a web service. The Web Service returns an exception : System.Web.Services.Protocols.SoapHeaderException: Access is denied. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at WebRefProject.HRWS.TeamMemberData201012Service.getTeamMemberProfilesByFullName(GetTeamMemberProfilesByFullNameRequest_Type getTeamMemberProfilesByFullName1) in C:\Project\FinalPAT\WebCode\1PSV\WebRefProject\Web References\HRWS\Reference.cs:line 138 at UIPSAT.GetUserDetails.GetUserDetailsbyFullName(String searchValue) in C:\Project\FinalPAT\WebCode\1PSV\UI\GetUserDetails.cs:line 209
Explanation:
I have a asp.net application which calls a web service to search for employee details.
The WS requires certificates and we attach it along the request.
The service is working good on local with local certificate.
It isnt working on Dev server and is giving the above exception.
A sample application runs good on Dev with the Dev certificate.
How do I know what SOAP is sent to the web service?
Also I could not add the reference of the web service directly to the solution as it was protected and Visual Studio IDE could not add it.
However the WSDL file was not protected. It was successfully added and the URL of the Web Service was changed based on the appropriate server environments.
How do check the SOAP Request and Response?
Yes, Fiddler.
You can use WCF Diagnostic message logging facilities. Just config it on your client, the soap messages will be logged. For instance:
<diagnostics>
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="1000"
maxSizeOfMessageToLog="5000"/>
</diagnostics>
You can configure soapUI (http://www.soapui.org/) to act as a logging proxy between your web service client and server. Configure your client to connect to a soapUI proxy instance running on the client host. Configure the soapUI instance to then forward to the service on the remote server.
You can get the trace file to a location. Add the following to the web.Config file :

WMI access denied error when query remote computer from ASP.NET

I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.

ASP.NET 3.5 + System.Web.Routing

I have downloaded sample from here (Demo)but when i deploy it on my Godady server it gives me error
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Can any one tell me what's wrong with Godady. This sample work fine on local machine.
I wrote to Godady but confused what to ask them now....
Support Staff Response
Thank you for contacting Online
Support.
This looks like a trust issue.Trust
level refers to permissions set in the
Web.config file that dictate what
operations can and cannot be performed
by Web applications. Our ASP.NET 3.5
shared hosting servers use the default
Medium trust level with the addition
of OleDbPermission, OdbcPermission,
and a less-restrictive WebPermission.
Applications operating under a Medium
trust level have no registry access,
no access to the Windows event log,
and cannot use ReflectionPermission
(but can use Reflection). Such
applications can communicate only with
a defined range of network addresses
and file system access is limited to
the application's virtual directory
hierarchy.
Using a Medium trust level prevents
applications from accessing shared
system resources and eliminates the
potential for application
interference. Adding OleDbPermission
and OdbcPermission allows applications
to use those data providers to access
databases. WebPermission is modified
to allow outbound http and https
traffic.
Please let us know if we can assist
you in any other way.
Customer Inquiry
I have uploaded my site
(http://www.pinchofbliss.com/anything)
but i get error :
======================================================================
Description: The application attempted
to perform an operation not allowed by
the security policy. To grant this
application the required permission
please contact your system
administrator or change the
application's trust level in the
configuration file.
Exception Details:
System.Security.SecurityException:
Request for the permission of type
'System.Security.Permissions.SecurityPermission,
mscorlib, Version=2.0.0.0,
Culture=neutral
========================================================================
For more detail let me write more that
this sample application working fine
on local machine even i placed
application with source code this
sample application can be downloaded
from here
http://chriscavanagh.wordpress.com/2008/03/11/aspnet-routing-goodbye-url-rewriting/

Resources