WCF Security Spike – Day 1

My first goal was to secure a service.  I’m happy to say I managed to get a service that allowed one user and didn’t allow another by using a PrincipalPermission with wsHttpBinding (I gave up on netTcpBinding for now – one monster at a time right?)

I created a simple service and declared a service with an endpoint as you see in the web.config (from .NET 4)

 <system.serviceModel>
    <services>
        <service name="Security">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration=""
         contract="ISecurity" />
    </service>

Then I implemented my service with a security demand

 [PrincipalPermission(SecurityAction.Demand, Role="BUILTIN\\Administrators")]
public string AdminOperation()
{
    return GetSecurityInfo("AdminOperation");
}

Easy huh? Wait a minute… not so fast.  I started testing this.

The machine is joined to the REDMOND domain and when I tested using my domain account it worked just fine.

However when I fired up the WCF Test Client using a local machine account that is a member of the Administrators group I get “Access Denied”.

In fact, if I allow the call and then test for role membership using IsInRole(“SomeGroup”) with any local group, all of them returned false.  The only time I got IsInRole(“Administrators”) to return true was when I used my domain account to call the service.

Oh the mysterious ways of Active Directory…  Who can plumb the depths of kerberos?  Perhaps I could (should? ) look at Windows Identity Foundation for help…