3

I currently have a WCF service running in IIS7 and I have have added impersonation on each of the public web methods with the following:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public void TestMethod(){}

When ever I call this method from my test client application I get the following error:

Could not load file or assembly 'System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=waeraewrar' or one of its dependencies. Either a required impersonation level was not provided, or the provided impersonation level is invalid.

I'm currently using Microsoft Enterprise Library 3.1, and .Net 4.0.

Sample code:

WcfService client = new WcfService();
client.TestMethod();
arc1880
  • 519
  • 2
  • 9
  • 21

2 Answers2

1

Try configuring the client to allow an impersonation level of impersonation. For example:

<system.serviceModel>
    <client>
      <endpoint address="http://xxxxx/Services/xxService.svc"
                binding="wsHttpBinding"
                contract="IServiceContract"
                behaviorConfiguration = "ImpersonationBehavior" />
    </client>
      <behaviors>
          <endpointBehaviors>
               <behavior name="ImpersonationBehavior">
                   <clientCredentials>
                       <windows allowedImpersonationLevel = "Impersonation" />
                   </clientCredentials>
               </behavior>
          <endpointBehaviors>
       </behaviors>
</system.serviceModel>

See this article for more on impersonation and delegation.

Andrew Shepherd
  • 44,254
  • 30
  • 139
  • 205
  • 1
    Is it necessary to configure all clients with an impersonation level? How are the users credentials sent over to the WCF service? Is this part of the soap message? – arc1880 Nov 30 '10 at 09:16
  • 1
    Your client shouldn't really give the service the powerful "Delegation" impersonation level unless it really needs to and trusts the service not to misuse it. In principle "Delegation" should only be needed if the service implementation needs to access some resource on a different box using the remote client's identity. – Chris Dickson Nov 30 '10 at 10:20
  • 1
    This solution does work. Also, if you set the AllowedImpersonationLevel programmatically, it works as well. But is the username and password sent over in the soap message? If the impersonation level needs to be set in the web config or programmatically; how would a Java application use the WCF service? – arc1880 Nov 30 '10 at 23:24
  • @arc1880: Thanks for letting me know it works. Just curious - if you set the impersonation level to "Impersonation" does it still work? If so, you should do that instead (for the reason the Chris Dickson stated). I'm not sure I have the knowledge to properly answer your other question. I think it's a good question - you should post a separate stackoverflow question. – Andrew Shepherd Nov 30 '10 at 23:45
  • @Andrew Shepherd: Yes it does work if the impersonation level is set to "Impersonation". – arc1880 Dec 01 '10 at 02:13
  • @arc1880: OK, I'll change the answer. – Andrew Shepherd Dec 01 '10 at 03:06
0

The error message suggests that the problem is that the impersonating user doesn't have access to the System.Data.OracleClient assembly DLL in the file system, and thus can't load it.

Can you not cause the System.Data.OracleClient assembly to be first loaded by code outside the service methods requiring impersonation... i.e. by code running with the IIS worker process identity. For example in your service instance constructor.

Once the assembly is loaded into the service's AppDomain, the service methods running under impersonation shouldn't need to do so again.

Chris Dickson
  • 11,964
  • 1
  • 39
  • 60