Calling WCF on local machine: "Request for principal permission failed" - wcf

My method is decorated as such:
[PrincipalPermission(SecurityAction.Demand, Role = "OurSecurityGroup")]
I'm calling the WCF service from an executable, which I'm just running from Visual Studio while debugging. If I call the service installed on a server, it works fine, as I've added myself to "OurSecurityGroup" on the server.
If I run the WCF service from my local machine, the service throws a security exception, "Request for principal permission failed". I've set up the same group on my local machine, and added myself, the local IUSR, all authenticated users and Anonymous Logon. I know from the FirstPermissionThatFailed property that it is checking for the expected role, OurSecurityGroup. Who else do I need to add to this group to make this work for local debugging?

Related

Access Key Vault from local Service Fabric cluster with User Assigned Manged Identity(MSI)

I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.
As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster.
I am using .net core 2.1 in service fabric and getting below mentioned exception.
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
Visual Studio Token provider can't be accessed at C:\Users\Default\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
VisualStudioCodeCredential authentication failed: A specified logon session does not exist. It may already have been terminated.
Services are likely running under the built-in 'NetworkService' account, which cannot access the CLI for credentials because it has run in your user session.
Try creating machine level environment variables to access the vault:
Create a service principal with a password. Follow steps here to create a service principal and grant it permissions to the Key Vault.
Set an environment variable named AzureServicesAuthConnectionString to RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. You need to
replace AppId, TenantId, and Secret with actual values from step #1.
Run the application in your local development environment. No code change is required. AzureServiceTokenProvider will use this
environment variable and use the service principal to authenticate to
Azure AD.
Don't forget to restart, so the environment variables are added to all processes.
As the document shows about DefaultAzureCredential, Environment and Managed Identity are deployed service authentication. Azure CLI needs to login with your Azure account via the az login command.
So, Environment and Managed Identity are appropriate for you. For example, Using the environment needs to set Environment Variables first, see here. Then you could create a secret client using the DefaultAzureCredential.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new DefaultAzureCredential());
I was able to get this working with with local service fabric development by opening Services.msc on my local development machine and configuring the 'Service Fabric Host Service' to run as my local user account rather than the default local service.
Only then would DefaultAzureCredential work for picking up the Az CLI login.

CRM 2013 On premise Authentication Error while retrieving

I have created a batch job and created the iorganisationservice object by just adding the service reference.
This works when I run it on visual studio while debugging, but when I copy the exe on the server and run it gives error:
The caller was not authenticated by the service.::Inner Exception::The request for security token could not be satisfied because authentication failed.
At line: contactEntityCollection = client.RetrieveMultiple(fetchExp);
Please help.
Whatever security context the exe is running under on the server will need to be a valid user in CRM. If it's a windows service set the account to a user other than LocalSystem in the services MMC tool. If it's running as a web application set the Application Pool to the dedicated account. If it's a scheduled task set it in the configuration of the task.
You can also specify an instance of the ClientCredential class providing username and password but I'd highly recommend you avoid this route as you'll be responsible for securing the password within your application.

WCF Access is denied with IIS

I created a brand new WCF web application with .NET 4.5.1
I have set in IIS the Authentication to Anonymous Authentication (enabled). All the other options are disabled. The web site in IIS is set to its own application pool which run under my credential. I am the administrator of the machine. The application pool is set to use version 4.
The url is
http://localhost:8885/Service1.svc
The port is good.
If I use the Process Monitoring I see this output for w3wp.exe:
Full Size here
Why do I get a 401 error, if I have the read-write access (the app pool is running my account)?
Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Users\Patrick\Documents\Visual Studio 2013\Projects\MyServiceA\MyServiceA\Service1.svc'.
To make it works, you have to create a website in IIS and inside Visual Studio, in the property of the project, you add a virtual directory.
After, if you go into IIS, you will see an application added to your website.
From here you can access your WCF services
http://localhost:8885/MyServiceA/Service1.svc

Restricted Remote WCF Service: Windows Authentication Prompt

I want to let remote administrators (with local or domain credentials) control my Windows service via a WCF TCP binding. To do this, I need to authenticate the remote user as an administrator. I can check the principal user/roles, but I don't know how to prompt the remote user for the correct user details/token.
This is related to my previous question on Restricting WCF TCP endpoint to Administrators. Instead of adding [PrincipalPermission(SecurityAction.Demand, Role = "Administrator")] to my restricted service method and catching a SecurityException, it seems I can check for it with:
if (!System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators"))
return MethodResult.AccessDenied;
// haven't tested if it's the service thread or the remote user yet.
How do I prompt the remote user for Windows authentication if a Access Denied result was returned so I can reinitiate the connection as a different principal?
Of course, the change would need to be effected on the remote user's client application. Perhaps there is a cleaner WCF way to do it?
Edit: Searching for ".net impersonation" led me to this on CodeProject. Haven't had a chance to look, but this may be the way to go.
You need to pass in the user's credentials with your WCF call. Normally the client application just "captures" the currently running user's credentials. Alternatively you can specify a username and password explicitly. So you could prompt the user for an alternative set of credentials if you wish.
Either way, the client app needs to prompt the user. Your WCF call should return an error (code or exception) upon authorization failure and your client should capture that return and display a prompt to the user and retry with the new credentials. WCF by itself cannot handle prompting the user.
Here is an article on various means of passing credentials:
http://blogs.msdn.com/b/sonuarora/archive/2007/04/21/setting-client-credentials.aspx
Assuming this is hosted in IIS you need to turn off anonymouse authentication in the IIS Manager. This should force the user to login to the machine using a Windows account. You may also need to enable ASP.NET Impersonation.
Here is how you can prompt the user using the standard windows dialog using pInvoke How to show authentication dialog in C# .Net 3.5 SP1

WCF Service - authentication / SSPI error

When I run my WCF service on my local machine, it works fine. When I deploy the same files to our test server, I get this error when my test client tries to connect to the WCF service:
Security Support Provider Interface (SSPI) authentication failed. The
server may not be running in an account with identity 'host/Server01'.
If the server is running in a service account (Network Service for
example), specify the account's ServicePrincipalName as the identity
in the EndpointAddress for the server. If the server is running in a
user account, specify the account's UserPrincipalName as the identity
in the EndpointAddress for the server.
What does this mean and what area should I be looking to fix? I played around with the web.config identity section, but I'm still unsure what is needed.
I got a similar error before but the message is somewhat different
Right click on the application pool the web site is running under, click on Property then go to the Identity tab. Try to put the "host/Server01" identity in and see if that helps.
This error can also happen for Microsoft Dynamics GP Web Services. In our case, it turns out that the person who set up the GP Web Services used his personal user account as the service account. When he changed his password, it broke the web services.
So, check your user identity and password if your web service used to work but no longer works.