Troubleshoot WCF Security connectivity

By | October 28, 2015

Sometimes it can be a real nightmare to troubleshoot for what reason an application are unable to connect to WCF services. The client simply gets a “Connection refused”, “Connection aborted” or “Timeout” message back.

The image below is a typical view of a log from a wcf client with connectivity issues. This log is basically useless as it gives no reason for the connectivity failure, best one can do is to try and check that the correct address is being called.

SecurityAudit0

In the next slide we can at least see that the user is attempting “Delegation” by supplying a SPN on the endpoint and we can see to which address the client is trying to connect.

SecurityAudit3

One way to troubleshoot WCF Security connectivity related issues is to add the “serviceSecurityAudit” behaviour to the service behaviours in the service host.

<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior >
<serviceSecurityAudit
auditLogLocation="Default"
messageAuthenticationAuditLevel= "SuccessOrFailure"
serviceAuthorizationAuditLevel="SuccessOrFailure"
suppressAuditFailure="true"
/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>

This behaviour will log the security related events to the event log of the service and can be viewed in the events viewer of the server, not the client.

Below is an example of such an audit. In the first image it is clearly visible that the user that is connecting is using impersonation and trying to logon using an anonymous user which explains why he is being refused access to the service.

SecurityAudit1

In the next slide you can see the user connecting using the correct security settings.

SecurityAudit2

 

 

Leave a Reply

Your email address will not be published.