My first goal was to secure a service. I’m happy to say I managed to get a service that allowed one user and didn’t allow another by using a PrincipalPermission with wsHttpBinding (I gave up on netTcpBinding for now – one monster at a time right?)
I created a simple service and declared a service with an endpoint as you see in the web.config (from .NET 4)
<endpoint address="" binding="wsHttpBinding" bindingConfiguration=""
Then I implemented my service with a security demand
public string AdminOperation()
Easy huh? Wait a minute… not so fast. I started testing this.
The machine is joined to the REDMOND domain and when I tested using my domain account it worked just fine.
However when I fired up the WCF Test Client using a local machine account that is a member of the Administrators group I get “Access Denied”.
In fact, if I allow the call and then test for role membership using IsInRole(“SomeGroup”) with any local group, all of them returned false. The only time I got IsInRole(“Administrators”) to return true was when I used my domain account to call the service.
Oh the mysterious ways of Active Directory… Who can plumb the depths of kerberos? Perhaps I could (should?) look at Windows Identity Foundation for help…