Exposing WCF Services from SharePoint

Feb 17, 2010 at 8:59 PM
Edited Feb 17, 2010 at 11:01 PM


We are creating a custom WCF service to provide SharePoint functionality that is not available through its built-in Web service. This WCF service consumes the SharePoint object model and we are following the recommendations of the SharePoint Guidance - Exposing WCF Services from SharePoint, e.g. deploy it on the same server, but host the service on a separate Web site than the SharePoint Web application, using a different port and application pool.

We are having problems with the permissions of the application pool identity of this new service. Whenever our service creates the SPSite object, it throws an exception due to permissions of its application pool identity.

We set the permissions for this identity based on the information from the book Inside Microsoft Windows SharePoint Services 3.0 (p. 300), and here they are:

  • Added this identity to the local groups IIS_IUSRS and WSS_WPG so that they have the proper permissions to access WSS system files as well as specific locations within the Windows Registry and IIS Metabase.
  • Granted the database role db_owner to this identity in the content database.
  • Granted the database roles public and WSS_Content_Application_Pools to this identity in the configuration database.

Does anyone know if there is any additional permission required for our service identity?

Thank you,



Feb 18, 2010 at 1:58 PM

Hi Luis,

can you try to add that identity to WSS_ADMIN_WPG group and try.




Feb 26, 2010 at 8:28 PM

Hi Appaji,

Thanks for your reply. That didn't work for us. The strange thing is that we were having this issue in only one server, this service was working fine on 2 other servers. Since developers do not have access with this problematic server, it makes harder for us to troubleshoot it. We noticed that the lack of permissions was not only to access the SharePoint object model, but to everything else. We were getting these two kinds of exceptions:

  • Service operations using the SharePoint Object Model: Request for the permission of type 'Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c' failed.
  • Service operations not using the SharePoint Object Model: Request for the permission of type 'System.Security.Permissions.EnvironmentPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

We couldn't figure out what was different in the code access security policy between the machine that works and the one that didn't. We ran caspol.exe -all -resolveperm to determine if the assembly has rights to execute and the security permission set returned was unrestricted. At the end, this is what we did to fix our problem:

  • Our client requires the physical directory of the service to be under Program Files. In the physical directory, we added permissions for the local group IIS_IUSRS as Read & execute, List folder contents, and Read. Note that the application pool identity is member of this group as mentioned on the first post.
  • We deployed the service assembly to the GAC. Not a surprise since GAC assemblies run with Full Trust.

So, I just want to share our experience that might be useful for someone else.