Trusted Subsystem, WCF and IIS

I’ve just about pulled my hair out on this one.  This used to be very easy with ASMX:

Basically, I have IIS running as a trusted user, “Service”.  I want WCF to run as this user for connecting to databases, etc.  I don’t care who’s calling me, I’m in an intranet environment, and this service is open to the world.  Unfortunately, all I can ever get is “user not associated with a trusted connection”, no matter what I do.  I suspect it’s due to a network hop issue, or something similar.  I can get it to work by flowing identity down, but I don’t want to do that, it’s not Trusted Subsystem.

I’ve spent about a day on two separate occasions trying to get this to work, but all examples seem to force me to set the service account on the ASP.NET side.  But I don’t want to force clients to do any kind of security, that defeats the purpose.

The quickest way to Trusted Subsystem now is to use SQL Server authentication.  With ASMX, I used ASP.NET configuration, along with IIS security configuration to set the identity, and it worked just fine.  WCF works outside the ASP.NET stack, so I don’t have that luxury.  Security in WCF is tough, kids, don’t let anyone tell you any different.

Boo.

Related Articles:

Post Footer automatically generated by Add Post Footer Plugin for wordpress.

About Jimmy Bogard

I'm a technical architect with Headspring in Austin, TX. I focus on DDD, distributed systems, and any other acronym-centric design/architecture/methodology. I created AutoMapper and am a co-author of the ASP.NET MVC in Action books.
This entry was posted in WCF. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • http://saftsack.fs.uni-bayreuth.de/~dun3/ Tobias Hertkorn

    The trick is to host the wcf service in a dedicated apppool that runs under the user you want to use to authenticate against the sql database.

    More info:
    http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=Intranet%20%u2013%20Web%20to%20Remote%20WCF%20Using%20Transport%20Security%20%28Trusted%20Subsystem%2c%20HTTP%29&referringTitle=Application%20Scenarios

  • http://jimmybogard.lostechies.com Jimmy Bogard

    @Tobias

    Hmm, my fear now is that I’ve been doing this in WinXP. Maybe IIS6/7 is different, what with the AppPools and all.

    I did set the IIS process identity in IIS5, and that didn’t do the trick.

  • Dan

    I hope I’m not being insulting and giving you obvious paths but…

    If I understand the post right, I think Tobias is on the right track. Assuming you want the “who cares” credential to be the person trying to use the service, I’d look at using Constrained Delegation and trust the service account your running your AppPool under to delegate credentials to that service. With constrained delegation you must specify the services that the trusted account will be used to access. There are some things that can get in your way like local security policies, your domain functioning level, and version of IIS. I’m also assuming you’ve toggled the ASP.Net ‘identity impersonate configuration setting.

    Good Luck!

  • http://www.blogcoward.com jdn

    Wild stab, but is it the kerberos thing?

    http://support.microsoft.com/kb/810572

    That’s always been the case when I get the user(null)/not associated with trusted connections error.

  • http://jimmybogard.lostechies.com Jimmy Bogard

    @Everyone

    Got the problem fixed, thanks to some twitter help and the comments here. I’m doing a follow up to explain the solution.