How can i get the WindowsIdentity or WindowsPrincipal of a WCF Claim / SecurityIdentifier (SID)?

Question

I'm trying to allow all users in the Administrators group access through WCF.

internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
    public override bool CheckAccess(OperationContext operationContext)
    {
     base.CheckAccess(operationContext);

     ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
     ClaimSet claimSet = claimSets[0];

     foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.Identity))
     {
      SecurityIdentifier sid = (SecurityIdentifier)claim.Resource;
      NTAccount ntAccount = (NTAccount)sid.Translate(typeof(NTAccount));

      //This line throws an error.  How can i convert a SecurityIdentifier to a WindowsIdentity?
      WindowsIdentity user = new WindowsIdentity(ntAccount.Value);

      WindowsPrincipal principal = new WindowsPrincipal(user);
      return principal.IsInRole(WindowsBuiltInRole.Administrator);
     }
    }
}

Answer 1

You have to authenticate. You have an identifier that identifies an account, it's isomorphic with an account name i.e. SID: S-1-5-domain-500 <=> DOMAIN\Administrator. A WindowsIdentity is a user that has been authenticated.

That said, I think the user you're trying to get has already been authenticated and is providing a claim of his/her account identity (SID).

Answer 2

JP is correct. The claims provided include the SID of all user groups the user is a member of. Here is our solution.

internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
    public override bool CheckAccess(OperationContext operationContext)
    {
        base.CheckAccess(operationContext);

        ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
        ClaimSet claimSet = claimSets[0];

            //is this a member of the local admins group
            SecurityIdentifier adminsSid = new SecurityIdentifier("S-1-5-32-544");
            foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty))
            {
                if (adminsSid.Equals(claim.Resource))
                {
                    return true;
                }
            }
    }
}