Windows Authentification (PopulateWindowsIdentity issue )

Windows Authentification (PopulateWindowsIdentity issue )

Old forum URL: forums.lhotka.net/forums/t/12036.aspx

cconte posted on Monday, June 24, 2013

Context : NET 4.5 / SL 5 / Csla: 4.5.30.0 / IIS: 7.5 / OS: Win7

Hi everyone,

I am currently experiencing a problem getting windows authentication working with my CSLA 4.5 SL application.  I have setup windows authentication the same way as the samples from the ebook (04-Dataportal).

When I run the application from my development workstation with IISExpress, everything works fine.  So I have next setup my development and test web servers using IIS 7.5.  I have worked through many issues getting impersonation to work (starting with just enable Windows Authentification and ASP.NET Identity, using Asp.net v4.0 Classic application pool ...).  Now, I think the IIS configuration and web.config are fine (Just in case, I have included them at the end of the post).  

Now, when I call the application (hosted into iis) from the browser on my development machine, the browser authentication prompt is displayed but if I log-in I get the following exception : "Some or all identity references could not be translated":

So, I ended up setting up remote debugging on my development web server to see what was going on.I have found that the exception came up on the PopulateWindowsIdentity method (Csla.Silverlight.Security)

 
Below, the stack trace:

    à System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)

   à System.Security.Principal.SecurityIdentifier.Translate(Type targetType)

   à Csla.Silverlight.Security.WindowsIdentity.PopulateWindowsIdentity()

   à Library.CustomIdentity.DataPortal_Fetch() dans c:\Users\CONTE\Documents\Visual Studio 2012\Projects\Samples\CSLA V4.5.30-23\04-DataPortal-110504\Authentication\Windows 4.5\Library.Net\CustomIdentity.cs:ligne 27

   à lambda_method(Closure , Object , Object[] )

   à Csla.Reflection.MethodCaller.CallMethod(Object obj, DynamicMethodHandle methodHandle, Boolean hasParameters, Object[] parameters)

 

Does anybody know what the issue here might be?  

 

Here some posts with interesting advices:

http://forums.lhotka.net/forums/p/8931/42494.aspx

http://forums.lhotka.net/forums/p/9453/44801.aspx

 

IIS Configuration used :
·         IIS Authentication settings: ASP.NET Impersonation and Windows Authentication are enabling.
·         ASP.NET v4.0 Classic is used for the application pool


web.config used:
 
<configuration>
  <appSettings>
    <add key="CslaAuthentication" value="Windows"/>
    <add key="CslaWriter" value="Csla.Serialization.Mobile.CslaBinaryWriter, Csla" />
    <add key="CslaReader" value="Csla.Serialization.Mobile.CslaBinaryReader, Csla" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5"/>
    <authentication mode="Windows"/>
    <identity impersonate="true" /> <!-- comment it to run with iis express -->
    <pages controlRenderingCompatibilityVersion="4.0"/>
  </system.web>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
        <listeners>
          <add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData="c:\temp\WinAuthTrace.xml"/>
        </listeners>
      </source>
    </sources>
    <trace autoflush="true"/>
  </system.diagnostics>
  
  <system.serviceModel>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
    <services>
      <service name="Csla.Server.Hosts.WcfPortal" behaviorConfiguration="windowsAuthReturnFaults">
        <endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IWcfPortal" contract="Csla.Server.Hosts.IWcfPortal"/>
      </service>
      <service name="Csla.Server.Hosts.Mobile.WcfPortal" behaviorConfiguration="returnFaults">
        <endpoint binding="basicHttpBinding" bindingConfiguration="basicHttpBinding_IWcfPortal"
                  contract="Csla.Server.Hosts.Mobile.IWcfPortal" />
      </service>
    </services>
    <bindings>
      <basicHttpBinding>
          <binding name="basicHttpBinding_IWcfPortal"
                   maxReceivedMessageSize="2147483647"
                   maxBufferPoolSize="2147483647"
                   maxBufferSize="2147483647">
            <readerQuotas maxBytesPerRead="2147483647"
                          maxArrayLength="2147483647"
                          maxStringContentLength="2147483647"
                          maxNameTableCharCount="2147483647"
                          maxDepth="2147483647"/>
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>
      <wsHttpBinding>
        <binding name="wsHttpBinding_IWcfPortal" 
                 maxReceivedMessageSize="2147483647">
          <readerQuotas maxBytesPerRead="2147483647" 
                        maxArrayLength="2147483647" 
                        maxStringContentLength="2147483647" 
                        maxNameTableCharCount="2147483647" 
                        maxDepth="2147483647"/>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="returnFaults">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceAuthorization impersonateCallerForAllOperations="true" /> <!-- comment it to run with iis express -->
        </behavior>
        <behavior name="windowsAuthReturnFaults">
          <serviceDebug includeExceptionDetailInFaults="true"/>
           <serviceAuthorization impersonateCallerForAllOperations="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

 

Best regards,

 

Cedric

 

cconte replied on Monday, July 01, 2013

Hi everyone,

I'm scratching my head and i'm running out of options about the PopulateWindowsIdentity issue. I dont know if my problem came from IIS setting issue or something with the csla. Is someone has set windows authentification with  NET 4.5 / SL 5 to give some feedback ?

I think to use a woraround byimplementing  impersonation on the server  based on their username/password.

Thx for your help in advance.

Cedric


RockfordLhotka replied on Monday, July 01, 2013

Is it possible that the IIS server is running your code in partial trust? Maybe that blocks the API call to AD to get the user's info?

cconte replied on Tuesday, July 02, 2013

Thank you Rocky for your help.

I have checked it and the IIS trust level is set to Full.

I'm keep going  investigating...

 

cconte replied on Monday, August 19, 2013

Hi everyone,

Just wanna share with you what i have found about the windows authentification for the Silverlight Application. Actually, to make it run, I have switched the IIS Application Pool Identity  from “ApplicationPoolIdentity” to “NetWorkService” and next restart IIS. All the settings (web.config and IIS) from my previous post was right, the only little thing missing  was the IIS Application Pool Identity. 

Hope it helps someone else.

SPeters replied on Tuesday, March 18, 2014

I am having this exact same problem.  "Some or all identity references could not be translated." occuring when calling PopulateWindowsIdentity().

However, if I switch my AppPool to NetworkService, the error goes away but then the AppPrincipal is retrieving the user 'NETWORK SERVICE'.  This is a problem as I need to be able to check the AppPrincipal.Username and assign appication level security based on that information.  I suspect I need to use ApplicationPoolIdentity.

Running locally works perfectly but I can't seem to find the IIS setting to make this work on the webserver.  Using .NET 4.5 and CSLA 4.5.40.

ajj3085 replied on Wednesday, April 16, 2014

Are you setting identityImpersonate in your web.config?

Copyright (c) Marimer LLC