3

I have developed a .Net Library that uses the Core Service. This library is called from VBScript from a Workflow Automated Decision and uses Core Service to perform some activities related to that workflow process.

I was able to successfully connect to the service using a service account we have for Tridion:

CoreServiceClient client = new CoreServiceReference.CoreServiceClient(
                                                       binding, endpoint);
client.ChannelFactory.Credentials.Windows.ClientCredential = 
        new NetworkCredential(serviceAccountUsername, serviceAccountPassword);
client.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = 
        System.Security.Principal.TokenImpersonationLevel.Delegation;

With the relevant binding attributes set as the following:

binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = 
        HttpClientCredentialType.Windows;

The problem I am having is that when I make calls to the Core Service, I am getting the following Tridion Content Manager error on the CMS box:

Access is denied for the user NT AUTHORITY\NETWORK SERVICE.

How can I configure my client so that the operations are performed using the Tridion service account instead of NT AUTHORITY\NETWORK SERVICE?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Andrew Keller
  • 3,198
  • 5
  • 36
  • 51
  • Hey Andrew, I see that you accepted my answer. It is great to hear that you got the code to work. Can you tell us what you ended up doing? – Frank van Puffelen Aug 22 '12 at 12:51
  • 1
    @FrankvanPuffelen No problem, I switched to the SessionAwareCoreServiceClient and used a WsHttpBinding. Unfortunately even though the error message had the location listed as the line in the VbScript in the automated workflow activity that called my .Net Library, it was actually being caused by an event attached to ProcessInstance. I changed the session used in the event to impersonate the service account which resolved the permission issue. – Andrew Keller Aug 22 '12 at 14:42

1 Answers1

7

If you want to run under a service account, you should probably be using a SessionAwareCoreServiceClient and then impersonate the account you want to use.

var client = new SessionAwareCoreServiceClient(binding, endpoint);
client.Impersonate("Administrator");

But since most of my Core Service clients are actually meant to run on a different machine, I can't use Impersonate (at least not without introducing a huge security leak), so instead I initialize my clients like this:

var client = ...
var credentials = CredentialCache.DefaultNetworkCredentials;
if (!string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(password))
{
    credentials = new NetworkCredential(userName, password);
}
client.ChannelFactory.Credentials.Windows.ClientCredential = credentials;
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for this. Is it possible to use the SessionAwareCoreServiceClient with a BasicHttpBinding? Or will I need to use a different binding type? – Andrew Keller Aug 20 '12 at 22:09
  • If you ***can*** use the `SessionAwareCoreServiceClient` over HTTP, it is protected in another way (e.g. by checking if the traffic comes from the local host). Otherwise it would certainly introduce an interesting security challenge: it would mean that code that runs on any machine and that connects over HTTP could suddenly pretend to be an administrator by saying `Impersonate("Administrator")`. But it could be that the `SessionAwareCoreServiceClient` is protected in another way (e.g. by checking if the traffic comes from the local host), so I'd just try it if I were you. – Frank van Puffelen Aug 20 '12 at 22:27
  • I now see that you want to run the code from an automated workflow activity, in which case you can also use `netTcp` if that would be a prerequisite for using `SessionAwareCoreServiceClient`. – Frank van Puffelen Aug 20 '12 at 22:37
  • HiFrank...as this code will be on Tridion server and user will be accessing custom page from there local machine..then how userName and password will be used for his login in above code as this is going to taken from web.config[ if (!string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(password)) ]...actually I want that user who is accessing the custom page should put his details in tridion history for any manipulations done in tridion...please suggest – Manoj Singh Jan 18 '13 at 10:33
  • I suggest you open a new question. Also keep in mind that "please suggest", although friendly, is not a question. If you have a problem, you need a trainer or hire an expert from SDL or one of its partners. If you have a clear, well defined question that likely has a definitive answer, we'd love to help you here at StackOverflow. – Frank van Puffelen Jan 18 '13 at 19:29