最近遇到一个客户问题,我们的程序没法连接WCF服务。我们的WCF服务采用了windows认证,已经确定服务端口没有占用,server可以ping通。但连接的时候还是会提示
1
The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
一番研究之后发现问题出在客户端机器security policy setting。用户删掉了Users用户组,导致出了问题。
Whenever a new application pool is created, the IIS management process creates a security identifier (SID) that represents the name of the application pool itself. the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
IIS will run worker processes as the application pool identity. Ref 1
ApplicationPoolIdentity is a LOCAL user (generated by IIS, its identity is not known until runtime) thus any attempt to access anything on the network would result in it using the COMPUTER$ account.Ref 2
The domain\machine-name$ naming convention is used to denote the computer account of a domain joined machine. In regards to its usability, any service running as Local System or Network Service on that machine will authenticate across the network as domain\machine-name$.Ref 3
When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member.Ref 4
application pool identities also use the machine account to access network resources. Ref 5
Authenticated Users includes every authenticated object to Active Directory, which would include all domain users, groups (defined and part of AD), and computers that have been joined to the domain.Ref 6
