Remote Data Portal - Windows Authentication

Dexter2 posted on Thursday, October 01, 2009

I am developing a winforms application that will user the wcf proxy to communicate with the remote data portal
which is hosted inside of IIS 5.1 (sql server database also on the same box as the remote portal).

I would like to use windows authentication as it is an internal application..

I have set up the virtual directory to disallow anonymous access and to use integrated security.

I have set the web.config to use windows authentication and to impersonate the user.

It seems that by querying the csla.ApplicationContext.User.Identity within my dataportal fetch that

the dataportal knows the identification of the windows user, but when the database conectionManager tries to create a connection

an error is thrown along the lines of Login failed for user 'MachinName\ASPNET' (as though the identity has not flowed through to sql server)

Any ideas are very welcome as its driving me nuts!

My Configurations are as follows:

This is my client config

<system.serviceModel>

<binding name="myBasicHttpBindingConfig" closeTimeout="00:01:00"

openTimeout="01:00:00" receiveTimeout="01:00:00" sendTimeout="01:00:00"

allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"

useDefaultWebProxy="true">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

maxBytesPerRead="4096" maxNameTableCharCount="16384" />

</security>

</binding>

</basicHttpBinding>

<endpoint address="http://localhost/WcfHost/WcfPortal.svc"

binding="basicHttpBinding"

bindingConfiguration="myBasicHttpBindingConfig"

contract="Csla.Server.Hosts.IWcfPortal"

name="WcfDataPortal" />

</client>

</system.serviceModel>

--My server side web.config

In system.web the bellow 2

in system.servive model

<system.serviceModel>

</security>

</binding>

</basicHttpBinding>

</wsHttpBindin</bindings>

</behavior>

</serviceBehaviors>

</behaviors>

<endpoint contract="Csla.Server.Hosts.IWcfPortal"

binding="basicHttpBinding"

bindingConfiguration="myHttpBindingConfig">

</identity>

</endpoint>

<endpoint address="mex"

binding="basicHttpBinding"

bindingConfiguration="myHttpBindingConfig"

contract="IMetadataExchange">

</identity>

</endpoint>

</serv</services>

</system.serviceModel>

msk replied on Monday, October 05, 2009

I'm not sure ASP.NET has the permission to Impersonate users by default. I googled it and found this: it may give you a little help.

Dexter2 replied on Monday, October 12, 2009

Thanks for looking.

Did you to paste a a link in?

msk replied on Tuesday, October 13, 2009

Ah..

Looks like I forgot the link. Can't remember what it was now. But I could have been clearer anyway.

I vaguely remember looking at this a few years back.

I seem to remember that there is a big difference between impersonating the user on the ASP.NET machine and doing so to access network resources (DB in your case).

In my case I just wanted to impersonate a specific windows user. I don't think the account ASP.NET has permission to do that by default. So I changed stuff around and eventually decided it wasn't the best solution for me.

In the end I opted to use standard authentication from web server to DB - that was all I actually needed.

OK so having googled it again this artucle seems to go into detail [perhaps too much ;-) ] about what you might need to do:

"How To: Use Impersonation and Delegation in ASP.NET 2.0"

http://msdn.microsoft.com/en-us/library/ms998351.aspx

Seems like Impersonting a user to access a network resource is referred to as Delegation and is pretty tough to configure.

On the other hand I could have got it wrong and there may be an easy config setting - but then I would imagine you likely have found that if it were the case.

Good luck. Hope it helps this time.

Martin.

Dexter2 replied on Tuesday, October 13, 2009

Thanks Martin

I checked that article you mentioned out, and I think that we are not using Kerberos (I have a feeling we use NTLM).

The mentioned article stated that..

"NTLM does not support delegation.
Kerberos supports delegation with the appropriate Active Directory configuration."

So perhaps that is the issue, and not the delegation between the 3 different processes after all.

I'll keep digging anyway!

ajj3085 replied on Tuesday, October 13, 2009

Hmm... also be on the lookout for the double hop issue.

http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

Dexter2 replied on Wednesday, October 14, 2009

Thanks for the link

I will check it out.

ajj3085 replied on Monday, October 12, 2009

Not sure I follow (and your link is missing).

Asp.Net can do impersonation by default; all thats needed is the [identity impersonate="true] tag in the web.config and setting the application in IIS to allow Windows authentication (and usually disabling Anonymous).

Dexter2 replied on Tuesday, October 13, 2009

Apols for my garbled last post, i was posting from my phone and my daughter was climbing all over me at the time!

Just to clarify in short...

I have a winforms client -remote dataportal hosted in IIS 5.1 (communication through wcf proxy) -and a sql server database setup. (i am using csla version 3.6.3)

I have set the identity impersonate="true" in web config, and enabled Windows Integrated security , disabled anonymous access inside of IIS.

When I debug inside of the dataportal methods i have the expected windows logon passed through ok,

however when the dataportal then calls a stored procedure in the database (which is relying on integrated security), sql server does not receive the windows logon , but instead the ASP.NET user.

I suspect that is something to do with the impersonation not being able to cross the 2 processes.

hope that made more sense than my last post!

Thanks a lot

Dexter