views:

264

answers:

2

I have a WCF service written in C# being hosted on a remote machine, running as the local administrator account. From my machine logged in as an active directory user, I am sending a command that simply tells it to open a file on the network. I have access to the file, but the administrator account on the host machine does not. I'm using the [OperationBehavior(Impersonation=ImpersonationOption.Required)] meta tag on the method that requires impersonation, and I have the credential type and security modes set correctly. I can verify that account is indeed trying to be impersonated by comparing Windows Identities, but I still get an access denied exception. I'm thinking it has something to do with active directory not authenticating the impersonated user. Is there something I'm missing?

+1  A: 

You also probably need to set up delegation from the web server to the file server. This will allow the file server to trust credentials that the web server has validated. See this MSDN article on how to set up delegation for your application, particularly the section on configuring AD.

tvanfosson
This is actually a managed application scenario, though I think that perhaps the AD server doesn't allow impersonation?
MGSoto
@MGS your web server has to be trusted by AD to delegate on behalf of a user. If it isn't trusted, it won't work.
Will
+2  A: 

You are entering the domain of Kerberos security and two hops-authentication.
You have two options:

  • Take the red pill: try to get the two hops-authentication to work. Make sure you have at least a Windows Server 2003 domain, time properly synchronized between all machines and setup proper delegation for the spefic users/computer accounts. If you're really "lucky" you'll have to configure SPNs with SetSPN.

  • Take the blue pill: forget two hops-authentication, impersonate the WCF service under an account that has just enough rights, and check authorization in an earlier step.

Forgive my frustration, but I do think that my brief experience with this topic has cost me at least 10 years of my life. I hate to see that happend to anyone else. Anyways, this post should give you enough Google keywords if you're feeling brave.

Eventlog and network monitor are useful for debugging...

Zyphrax
Hmmm. I set up WebDAV using delegation with not a whole lot of trouble. Probably helped that we were already at Server 2003 domain and I have an army of Windows administrators to do the actual configuration.
tvanfosson
It's already becoming more of a hassle than it has to be, and I agree, I don't want to have to deal with Kerberos authentication. Looks like we are taking the easy way out and creating an application specific user with limited access.
MGSoto