We are using impersonation in our WCF Service so that credentials of the user can flow to the backend layer (where authorization is done). Strangely we were getting Access Denied errors when the client tries to connect to the service. The error message was like:
Could not load file or assembly ‘MyAssembly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null’ or one of its dependencies. Access is denied.
This was very frustrating to say the least. The first thing to do was search the internet with the error message and sure enough, several other people had faced the same issue but nobody had a good solution for the problem. The problem was that the code was running under the identity of the user (because we were using impersonation) and when the assemblies were shadow copied to the “Temporary ASP.NET Files” directory (C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files), the user did not have write permissions to that directory and hence the Access denied error.
Note: I should say that the Fusion Log Viewer was extremely helpful in identifying the problem and helping to make sure that the problem was resolved.
The obvious solution is to give users write permission to that folder. The testing team decided that this could a potential security issue (even though this was an internal application and permissions were given only to authenticated users). So we began hunting for other solutions and came up with more solutions.
- Run aspnet_regiis –ga “authenticated users”.
This seemed to fix the problem, but it turned out that it was just a variation of granting authenticated users permission to the Temporary ASP.NET Files folder. What this command does is add the user/user-group to the IIS_USRS groups which is already set to have modify permissions on the Temporary ASP.NET Files folder. It works, but we are back to square one.
- Disable Shadow copying of assemblies
As I mentioned earlier, the problem was occurring while shadow copying the assemblies to the temp location. The primary purpose of shadow copying is to do dynamic compilation and hot-swapping files. Dynamic compilation does not apply to WCF as much as for ASP.NET. Also we were not very concerned about the hot-swapping of files, so this was a credible option for us. But what concerned us was that we couldn’t find any info about any other side effects of disabling shadow copying. To disable shadow copy, add the following in your web.config inside the configuration section.
<system.web> <hostingEnvironment shadowCopyBinAssemblies="false"/> </system.web>
The good thing about this option is that it does not require a code change and is easy to revert and also there doesn’t appear to be any security issues.
- Move impersonation to the end of the call stack
Since the problem occurs because the assembly loading happens in the identity of the user, we could do away with declarative impersonation and do an imperative style impersonation where impersonation is done only when making calls to the backend system. To make it more clear, we were doing impersonation like:
[OperationBehavior(Impersonation = ImpersonationOption.Required)] public Response DoSomething(Request request) { return request.Execute(); }
Instead we could do impersonation only while calling the backend code:
WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity; if (callerWindowsIdentity == null) { throw new InvalidOperationException("The caller cannot be mapped to a WindowsIdentity"); } using (callerWindowsIdentity.Impersonate()) { // Make backend calls }
This is definitely a good solution, but has atleast two drawbacks. The first problem (not a big one) is that it requires a code change. The second problem is a performance one and happens only if the backend calls are webservice calls. The reason for this is that the webservice calls usually require a XmlSerializers dll which is generated by Visual Studio and usually deployed along with the application. If this assembly is not present, the runtime will create one dynamically. This can cause a perf hit. Since we do impersonation before making the backend call, the XmlSerializer assembly is loaded in the identity of the user and will fail. But the CLR, failing to bind the assembly, will synthesize one for you thus causing a perf hit.
If your backend calls are not webservice calls, then this is a reasonable workaround for you.
- Pre-load the assemblies
What we understood from the Fusion Logs was that the assembly loading was happening under the identity of the end user who does not have adequate permissions. So one thing we can do is to pre-load the assemblies when the service is running as the network service account. To do this, we created a Global.asax file and in the Application_Start event handler, we refer to types in all the assemblies of the service, thus forcing them to be loaded even before the first request is processed. The code looks something like this:
namespace MyService { public class Global : System.Web.HttpApplication { protected void Application_Start(object sender, EventArgs e) { //Make sure all the dlls are loaded Action action = new Action(null);
EntityOperations.EntityOperationsFactory.CreateOperation();
DataAccess.DaoFactory.CreateDao();
WebServiceLibrary.WebServiceGateway.Initialize(null); }
}
}
Using the Fusion Logs we were able to see that the assemblies were getting loaded under the identity of the network service account. We could also see that the XmlSerializers were also getting loaded correctly.
This solution might feel a little icky because of its unconventional nature but I think it is a brilliant solution and it seems to work correctly. We have decided to adopt this solution for our project.
- Change the shadow copy directory to a directory inside the website directory
Frankly I never tried this one out and don’t know if it works, but it is worth some investigation if none of the solutions outlined above works for you.
I will make a follow up post or edit this one, if I find problems with the solutions mentioned here or if I find better solutions.