I have developed a .Net Library that uses the Core Service. This library is called from VBScript from a Workflow Automated Decision and uses Core Service to perform some activities related to that workflow process.
I was able to successfully connect to the service using a service account we have for Tridion:
CoreServiceClient client = new CoreServiceReference.CoreServiceClient(
binding, endpoint);
client.ChannelFactory.Credentials.Windows.ClientCredential =
new NetworkCredential(serviceAccountUsername, serviceAccountPassword);
client.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Delegation;
With the relevant binding attributes set as the following:
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
The problem I am having is that when I make calls to the Core Service, I am getting the following Tridion Content Manager error on the CMS box:
Access is denied for the user NT AUTHORITY\NETWORK SERVICE.
How can I configure my client so that the operations are performed using the Tridion service account instead of NT AUTHORITY\NETWORK SERVICE?
If you want to run under a service account, you should probably be using a SessionAwareCoreServiceClient and then impersonate the account you want to use.
var client = new SessionAwareCoreServiceClient(binding, endpoint);
client.Impersonate("Administrator");
But since most of my Core Service clients are actually meant to run on a different machine, I can't use Impersonate (at least not without introducing a huge security leak), so instead I initialize my clients like this:
var client = ...
var credentials = CredentialCache.DefaultNetworkCredentials;
if (!string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(password))
{
credentials = new NetworkCredential(userName, password);
}
client.ChannelFactory.Credentials.Windows.ClientCredential = credentials;