Windows authentication with WCF Service not working - ORA-01017: invalid username/password

Question

5.00/5 (1 vote)

See more:

I have a silverlight application which fetches data from a WCF Service hosted under a Windows Service which runs under the "Local System" account i.e. NT AUTHORITY/ SYSTEM.

I have enabled Windows Authentication on this WCF service using the below in my App.config

<system.servicemodel> 
<behaviors> 
  <endpointbehaviors> 
    <behavior name="webHttpBehavior"> 
      <webhttp /> 
    </behavior> 
  </endpointbehaviors> 
  <servicebehaviors> 
    <behavior name="defaultServiceBehavior"> 
      <servicemetadata httpgetenabled="true" /> 
      <servicedebug includeexceptiondetailinfaults="true" /> 
    </behavior> 
  </servicebehaviors> 
</behaviors> 
<bindings>            
  <basichttpbinding> 
    <binding name="winAuthBasicHttpBinding" opentimeout="05:00" sendtimeout="05:00"> 
      <security mode="TransportCredentialOnly"> 
        <transport clientcredentialtype="Windows" /> 
      </security> 
    </binding> 
  </basichttpbinding> 
</bindings> 
<servicehostingenvironment aspnetcompatibilityenabled="true" multiplesitebindingsenabled="true" /> 
<services> 
  <service behaviorconfiguration="defaultServiceBehavior" name="DataService.CrossDomainService"> 
    <endpoint address="" behaviorconfiguration="webHttpBehavior" binding="webHttpBinding" contract="DataService.ICrossDomainService"> 
      <identity> 
        <dns value="107.0.0.12" /> 
      </identity> 
    </endpoint> 
    <host> 
      <baseAddresses> 
        <add baseaddress="http://107.0.0.12:2035/" /> 
      </baseAddresses> 
    </host> 
  </service> 
  <service behaviorconfiguration="defaultServiceBehavior" name="DataService.NewDataService">         
    <endpoint address="" binding="basicHttpBinding" bindingconfiguration="winAuthBasicHttpBinding" contract="DataService.INewDataService"> 
      <identity> 
        <dns value="107.0.0.12" /> 
      </identity> 
    </endpoint> 
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
    <host> 
      <baseAddresses> 
        <add baseaddress="http://107.0.0.12:2035/DataService/" /> 
      </baseAddresses> 
    </host> 
  </service> 
</services> 

</system.servicemodel>

I have also enabled Windows Authentication in the connection string for Oracle using Integrated Security=SSPI as below:

HTML

<connectionstrings>     
<add name="netTiersConnectionString" connectionstring="Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=107.0.0.17)(PORT=1521)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=SVC001)));Integrated Security=SSPI; Min Pool Size= 1; Max Pool Size= 5;" /> 
</connectionstrings>

Now when the Silverlight app makes a call to the WCF Service, the database connection happens using NT AUTHORITY/SYSTEM account instead of domainname/username credentials of the logged in user in the Silverlight app which itself uses Windows Authentication. Hence I get the invalid username error.

The same configurations work fine when I host the WCF service in a console application. But when I host in a windows service, it runs under a Local System account and hence I guess this issue.

What can I do so that the database connection is made using windows authentication credentials of logged in user and not the Local System account?

Thanks, Pankaj Chamria

Posted 11-Aug-11 1:14am

Pankaj Chamria

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Simon Bang Terkildsen · Accepted Answer · 2011-08-11T01:27:00

Solution 1

Now I'm not sure, but I beleave the account used as login to oracle is the one which runs the service not the one which has called the service.
You should look into impersonation
http://msdn.microsoft.com/en-us/library/ms730088.aspx[^]

So in you WCF method do something like the below (taken from the site I linked):

C#

WindowsIdentity callerWindowsIdentity =         ServiceSecurityContext.Current.WindowsIdentity;
if (callerWindowsIdentity == null)
{
    throw new InvalidOperationException("The caller cannot be mapped to a WindowsIdentity");
}
using (callerWindowsIdentity.Impersonate())
{
    //Do your thing here

}

Posted 11-Aug-11 1:27am

Simon Bang Terkildsen

Updated 6-Oct-11 6:23am

v2

Comments

Pankaj Chamria 11-Aug-11 8:10am

Perfect! You pointed me in the right direction. The article link helped me find the answer. As I wanted the impersonation for my entire WCF service functions, I just used the attribute on top of every OperationContract and it worked like a charm..

[OperationBehavior(Impersonation = ImpersonationOption.Required)]

Thanks Simon!

Simon Bang Terkildsen 6-Oct-11 12:24pm

My pleasure

Espen Harlinn 6-Oct-11 10:36am

5'ed!

Simon Bang Terkildsen 6-Oct-11 12:24pm

Thank you, Espen