Debugging a WCF Data Services problem
I was asked to help out with a problem with the deployment of a multi-tiered application from the development environment (where everything works) to the QA environment. The basic issue is that where everything works in the development environment, the QA environment is rejecting connection requests to the WCF Data Service. The exception returned is a “401-Unauthorized: Access is denied due to invalid credentials”
Debugging steps we took:
Step 1: from the client machine, try to ping the remote server. Expected result – successful return of ping test
Step 2: validate via simple console application that the issue is reproducible as working in dev and broken in QA
Step 3: check the QA server’s logs (application, security, and IIS logs) to find the exact error codes. FYI, some development machines don’t have the IIS logging feature turned on. Follow these instructions to do so.
Step 4: Find nothing especially useful so turn to Bing and Google, where the most relevant page is this totally useless forums post: http://social.msdn.microsoft.com/Forums/en-US/adodotnetdataservices/thread/4065e321-d605-4cd7-8399-c5ebf2e0021c/
Step 5: Casting about in the dark, try creating a new test function in the service itself so that the GET service attempts to do the update for us – thereby eliminating the SQL connection as the potential problem.
Step 6: Last ditch effort – validate that the Services folder allows EVERYONE full control and retest. SUCCESS! Back out the EVERYONE user and put in the AppPool user so that we’re running in more of a Least Privileges manner (slightly…who can identify the security hole here?). SUCCESS continues.
In this particular case, the issue turns out to be that the AppPool user requires Modify permissions to the .svc file on the file system. Why? No idea! We simply found that the Domain Users with Read & Execute permissions was an insufficient setting.