Caller identity (Network Service account) obtained by WCF service is out of date

1k views Asked by At

We have a WCF service using TCP binding, hosted in a Windows service. The WCF service is called by an ASP.NET web application.

When the WCF service is called, I would like to check whether the calling identity is a member of a particular local group. A few ways to do this are:

[PrincipalPermission(SecurityAction.Demand, Authenticated = true, Role = "MyGroupName")]

Thread.CurrentPrincipal.IsInRole("MyGroupName");

new WindowsPrincipal(ServiceSecurityContext.Current.WindowsIdentity).IsInRole("MyGroupName")

When our ASP.NET web application is hosted in Windows 2003/IIS6, it runs under the NETWORK SERVICE account. This means that NETWORK SERVICE must be added to the local group in order for the WCF code to run correctly. However, if I add the account to the group and then test my application (using any of the approaches above to test for group membership), the code seems to think that NETWORK SERVICE is not a member of the group.

I wrote a simple ASP.NET page that performed the same group membership tests. I found that the web page would only recognise that NETWORK SERVICE had joined the group after I performed an iisreset. However, resetting IIS does not make any difference to my WCF service. I even tried restarting the Windows service that hosts my WCF service, and it made no difference. It was only once I restarted the computer that the WCF code realised that NETWORK SERVICE was a member of the group.

I am trying to understand why there would be a difference in the behaviour of my simple ASP.NET page versus my WCF service, particularly when they are using the same code and they both report the same identity name (NT AUTHORITY\NETWORK SERVICE). Does anyone know?

This problem does not occur on Windows 2008 (where my web application is also running under NETWORK SERVICE) or on Windows 2008 R2 (where it is running as the application pool identity account).

Thanks for any help!

0

There are 0 answers