Comments on: Trusted Subsystem, WCF and IIS

By: Jimmy Bogard

Jimmy Bogard — Thu, 31 Jul 2008 23:33:10 +0000

@Everyone

Got the problem fixed, thanks to some twitter help and the comments here. I’m doing a follow up to explain the solution.

By: jdn

jdn — Thu, 31 Jul 2008 14:48:57 +0000

Wild stab, but is it the kerberos thing?

http://support.microsoft.com/kb/810572

That’s always been the case when I get the user(null)/not associated with trusted connections error.

By: Dan

Dan — Thu, 31 Jul 2008 14:28:49 +0000

I hope I’m not being insulting and giving you obvious paths but…

If I understand the post right, I think Tobias is on the right track. Assuming you want the “who cares” credential to be the person trying to use the service, I’d look at using Constrained Delegation and trust the service account your running your AppPool under to delegate credentials to that service. With constrained delegation you must specify the services that the trusted account will be used to access. There are some things that can get in your way like local security policies, your domain functioning level, and version of IIS. I’m also assuming you’ve toggled the ASP.Net ‘identity impersonate configuration setting.

Good Luck!

By: Jimmy Bogard

Jimmy Bogard — Thu, 31 Jul 2008 11:32:28 +0000

@Tobias

Hmm, my fear now is that I’ve been doing this in WinXP. Maybe IIS6/7 is different, what with the AppPools and all.

I did set the IIS process identity in IIS5, and that didn’t do the trick.

By: Tobias Hertkorn

Tobias Hertkorn — Thu, 31 Jul 2008 06:16:29 +0000

The trick is to host the wcf service in a dedicated apppool that runs under the user you want to use to authenticate against the sql database.

More info:
http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=Intranet%20%u2013%20Web%20to%20Remote%20WCF%20Using%20Transport%20Security%20%28Trusted%20Subsystem%2c%20HTTP%29&referringTitle=Application%20Scenarios