Error in WCF client running IIS 5.0 with server on Windows 2008
I have a WCF .NET 3.5 SP1 service running IIS 7 on a Windows 2008 machine. When I try to connect to this service from a WCF service running IIS running IIS 5.0 (Windows XP) .Net 3.5 SP1, I I get the following error:
Token provider cannot get tokens for target: http: // (URL for WCF service)
I have created a simple console application that can successfully connect to a WCF service using the same configuration. I also created a simple web application hosted under a WebDev server (ASP.Net server that ships with Visual Studio 2008) and it can connect to the WCF service successfully. When I configured a virtual directory in IIS (Windows XP) to point to the same directory as the WebDev server, I get the following error:
Security package has no credentials
But if I set web.config to enable impersonation when using my login credentials, it works fine. This is not a good long-term solution for obvious reasons. The only difference I noticed between IIS and WebDev servers is the user that each process is working with. IIS runs under an ASPNet account and WebDev runs under my account.
Here's the config of WCF section on client:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="FABindings" maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="300000"/>
<security mode="Message">
<message clientCredentialType="Windows" negotiateServiceCredential="false" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://<server url>/FinancialAggregator/v3/Services/FAService.svc"
binding="wsHttpBinding" bindingConfiguration="FABindings"
contract="ServiceReference1.IFilteredService" name="FAServiceEndpoint">
<identity>
<servicePrincipalName value="<UsernameRunningTheAppPoolOnW2k8>" />
</identity>
</endpoint>
</client>
Here's the server config (as requested):
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding" maxReceivedMessageSize="2147483647">
<security mode="Message">
<message establishSecurityContext="false" negotiateServiceCredential="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="mexBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="200" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="mexBehavior" name="FCSAmerica.Financial.Aggregator.Service.FilteredService">
<endpoint name="FAServiceEndpoint" address="" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding" contract="FCSAmerica.Financial.Aggregator.Service.IFilteredService">
</endpoint>
</service>
</services>
Any thoughts on the cause of this error?
Thanks!
a source to share
When accessing services through IIS with impersonate = false, this is the ASPnet account that is used to access the service on a Windows 2008 computer.
The ASPnet account is a local account and therefore has no rights on the 2008 machine.
There are three ways to solve this problem:
- Allow Anonymous Access to Service on Windows 2008 Machine
- Use impersonate = true (as is)
- Change the application pool id from aspnet to a domain account with the required access.
a source to share