rolePrincipal.Identity.AuthenticationType' threw an exception of type 'System.UnauthorizedAccessException'

Aug 23, 2009 at 3:41 PM

Hi

Hello all - any help would be greatly appreciated.

Thanks -- Peter


I feel I have followed the article http://wcfsecurityguide.codeplex.com/Wiki/View.aspx?title=Ch%2009%20-%20Intranet%20%u2013%20Web%20to%20Remote%20WCF%20Using%20Transport%20Security%20%28Original%20Caller%2c%20TCP%29  to a tee and am still having problems.

I am using Windows Authentication, Application Pools for both Service and Web Application are using a Domain Account.  I followed the instructions for
Service Principal Name (SPN), enabled the domain account for trusted for delegation, turned off Anonymous Authentication, etc.

I am using impersonation of the call from the client before I call the proxy - see example belpw.


Any assistance at all would be appreciated.  If any additional information is required, please let me know.


Interesting Fact
If I use
principalPermissionMode=UseWindowsGroups instead of "UseAspNetRoles" the Service Calls work.  Of course I am sure this has something to so with me being logged into server and hitting the web page - It is using my credentials from my windows login.

ERROR MESSAGE WHEN I DEBUG THE WCF SERVICE

In the service when I try and check the Identity of the Caller 

         IPrincipal principal = Thread.CurrentPrincipal;

         string IdentOfCaller = principal.Identity.Name;

         bool isAuthenticated = principal.Identity.IsAuthenticated;

// Tried this way too

         IIdentity currentIdentity = Thread.CurrentPrincipal.Identity;

         RolePrincipal rolePrincipal = new RolePrincipal(currentIdentity);

         Thread.CurrentPrincipal = rolePrincipal;

 AuthenticationType = 'rolePrincipal.Identity.AuthenticationType' threw an exception of type 'System.UnauthorizedAccessException'

AuthenticationType = '((System.Security.Principal.WindowsIdentity)(ServiceSecurityContext.Current.PrimaryIdentity)).AuthenticationType' threw an exception of type 'System.UnauthorizedAccessException'

AuthenticationType = 'System.ServiceModel.ServiceSecurityContext.Current.WindowsIdentity.AuthenticationType' threw an exception of type 'System.UnauthorizedAccessException'

AuthenticationType         'principal.Identity.AuthenticationType' threw an exception of type 'System.UnauthorizedAccessException'            string {System.UnauthorizedAccessException}

 


While debugging the service, When I try and check the  Roles.IsUserInRole(AppRoles.DBCallRole);  

System.Configuration.Provider.ProviderException was unhandled by user code

  Message="Method is only supported if the user name parameter matches the user name in the current Windows Identity."

  Source="System.Web"

  StackTrace:

       at System.Web.Security.WindowsTokenRoleProvider.GetCurrentWindowsIdentityAndCheckName(String userName)

       at System.Web.Security.WindowsTokenRoleProvider.GetCurrentTokenAndCheckName(String userName)

       at System.Web.Security.WindowsTokenRoleProvider.IsUserInRole(String username, String roleName)

       at System.ServiceModel.Security.RoleProviderPrincipal.IsInRole(String role)

       at System.Security.Permissions.PrincipalPermission.Demand()

       at System.Security.PermissionSet.DemandNonCAS()

       at WCFDALService.ServiceClass.GetOracleDataSetSPXML(DBInfo info) in C:\Projects\DAL\WCFService\WCFService\ServiceClass.cs:line 101

       at SyncInvokeGetOracleDataSetSPXML(Object , Object[] , Object[] )

       at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)

       at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)

  InnerException:

 


O/S - WAS Windows Server 2008 - I realize the document is for hosting via a Windows Service.
Both the WCF Service and Web Application are installed on the same server for now.


Sample Code Call from the Web Application to the Service

using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())

{

objDALWCF.ServiceClassClient client = new objDALWCF.ServiceClassClient();

IList<objDALWCF.ReturnResultsDS> list = client.GetOracleDataSetSPXML(Val1);

ds = list[0].dS;

bool res = list[0].statusResults;

client.Close();

Response.Write("result of call res = " + res);

}


WCF Service Config File

relevant parts

<
system.web>

<roleManager enabled="true"

defaultProvider="AspNetWindowsTokenRoleProvider" />

</system.web>

<system.serviceModel>

<behaviors>

<serviceBehaviors>

<behavior name="metadataSupport">

<serviceAuthorization

principalPermissionMode="UseAspNetRoles"

roleProviderName="AspNetWindowsTokenRoleProvider" />

<serviceMetadata httpGetEnabled="true"/>

<serviceDebug includeExceptionDetailInFaults="true"/>

</behavior>

</serviceBehaviors>

</behaviors>

<bindings>

<netTcpBinding>

<binding name="tcpbinding" portSharingEnabled="true">

<security mode="Transport">

<transport

clientCredentialType="Windows"

protectionLevel="EncryptAndSign"/>

<message clientCredentialType ="Windows"/>

</security>

</binding>

</netTcpBinding>

</bindings>

</system.serviceModel>




Web Application Config File

Listing parts that I feel are relevant


<authentication mode="Windows"/>

<authorization>

<allow roles="OMH\DBCallRole,OMH\ReportCallRole"/>

<deny users="*"/>

</authorization>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>




<system.serviceModel>

<bindings>

<netTcpBinding>

<binding name="WCFDALServiceIServiceClass" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>

<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>

<security mode="Transport">

<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/>

<message clientCredentialType="Windows"/>

</security>

</binding>

 

 

</netTcpBinding>

 

</bindings>

<client>

<endpoint address="net.tcp://coappt82.omh.omhnet.dom/WCFDALServiceHost/Service.svc" binding="netTcpBinding" bindingConfiguration="WCFDALServiceIServiceClass" contract="objDALWCF.IServiceClass" name="WCFDALServiceIServiceClass">

<identity>

<userPrincipalName value="WFCServiceUser@omh.omhnet.dom"/>

</identity>

</endpoint>

</client>

</system.serviceModel>