Sometimes it can be a real nightmare to troubleshoot for what reason an application are unable to connect to WCF services. The client simply gets a “Connection refused”, “Connection aborted” or “Timeout” message back.
The image below is a typical view of a log from a wcf client with connectivity issues. This log is basically useless as it gives no reason for the connectivity failure, best one can do is to try and check that the correct address is being called.
In the next slide we can at least see that the user is attempting “Delegation” by supplying a SPN on the endpoint and we can see to which address the client is trying to connect.
One way to troubleshoot WCF Security connectivity related issues is to add the “serviceSecurityAudit” behaviour to the service behaviours in the service host.
<system.serviceModel> <behaviors> <serviceBehaviors> <behavior > <serviceSecurityAudit auditLogLocation="Default" messageAuthenticationAuditLevel= "SuccessOrFailure" serviceAuthorizationAuditLevel="SuccessOrFailure" suppressAuditFailure="true" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel>
This behaviour will log the security related events to the event log of the service and can be viewed in the events viewer of the server, not the client.
Below is an example of such an audit. In the first image it is clearly visible that the user that is connecting is using impersonation and trying to logon using an anonymous user which explains why he is being refused access to the service.
In the next slide you can see the user connecting using the correct security settings.