My WCF webservice runs on IIS 8.0 on Windows Server 2012 in an evironment with multiple domains:
the application pool runs using a service account in the SERVER domain (lets say SEVER\WsSvc01).
My WCF webservice uses a PrincipalPermissionAttribute like this:
[PrincipalPermission(SecurityAction.Demand, Role = "grp_WsUsers")]
public string Echo(string message)
{
return string.Format("{0:o}: {1}", DateTime.Now, message);
}
there is a grp_WsUsers active directory group in both client domains:
Users from the CLIENT-OLD domain that are members of the CLIENT-OLD\grp_WsUsers can access the service users from the CLIENT-NEW domain can't
If I include both groups explicitly all users can access the service
[PrincipalPermission(SecurityAction.Demand, Role = "CLIENT-OLD\\grp_WsUsers")]
[PrincipalPermission(SecurityAction.Demand, Role = "CLIENT-NEW\\grp_WsUsers")]
public string Echo(string message)
{
return string.Format("{0:o}: {1}", DateTime.Now, message);
}
What is happening here? If I have to specify the groups explicitly why does it work at all in the first place? How can I tack down the differences between the two groups?
So I finally figured it out:
the permission check invoked by the PricipalPermissionAttribute simply looks for the first group with the name in any domain it comes across and stops after that even if the current user does not have the group.
So in my case the the implementation looked for the group in the CLIENT-OLD domain first and since a group with the name in question exists there checks all users for this specific group (groups SID I assume).