I have to say that I’m a big fan of WCF’s modularity and power. At the moment though, I’m struggling with impersonation issues and feeling overwhelmed by the sheer size of the thing. “With great power comes great responsibility”, I suppose.
We have a legacy policy in our company whereby web services impersonate a particular user account that can write to certain file shares and access databases. This has served us well for intranet web apps, but I’ve run into difficulties because I’m forging ahead and writing our first WCF based web service.
I’ve put the service into “ASP.NET compatibility” and dutifully added the right attribute to the service class, but the <identity impersonation=”true”…> tag in the web.config stubbornly refuses to come into play. I’ll dig more tomorrow, but all this hassle has prompted me to wonder how it really should be done.
There are lots of articles out there about impersonating the caller of the WCF service. We could do that, but then we’d have to add A LOT of users to a group with privileges to access the database we’re using. Far better, at my current stage of thinking, to have a single user (without interactive logon privileges) that only the service knows about. But there’s the catch – I can’t find anything on the internet about this particular scenario. How do I get the WCF service to run under a particular identity? I’m hosting it in IIS, but it seems that if I specify anonymous access in IIS and supply a username and password, that doesn’t get transferred to WCF. It seems hell bent on running as the NETWORK SERVICE account, or else the caller if I explicitly tell it to.
There are two possibilities to explain my current predicament:
- I have not found the technical solution
- The technical solution either doesn’t exist or is obscure (PInvoke anyone?) and this is so for a reason, i.e. what I’m trying to do is not best practice and I need to do it differently.
All comments gratefully received!