Impersonation using WCF

Question

Hi,

I am trying to expose via WCF Web services, functions that access SQL server (via Entity Framework) using the user's credentials (this is a client/dba requirement because of audit triggers etc. Gave up trying to convince them not to use user's credentials)

I am having trouble getting WCF to implement impersonation. (in fact its been a nightmare). I have added the

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]

attribute to my contract. But then it complained about BasicHttpContract not being able to do Window Impersonation. I've tried to change it to wsHttpBinding. Now the Metadata exchange is broken. So far, I am only trying to open the services in internet explorer, haven't even started connecting to it with the client yet. The relevant section of the web.config looks like below

<behaviors>
  <serviceBehaviors>
    <behavior name="AssetManagerBehavior">
      <serviceAuthorization impersonateCallerForAllOperations="true" />
      <!--
      -->
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true" />
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

    <services>
        <service name="AssetManager.ServiceInterface" behaviorConfiguration="AssetManagerBehavior">
            <endpoint  address="" binding="wsHttpBinding" contract="IAssetServices">
            </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> 
        </service>
    </services>

<bindings>
  <wsHttpBinding>
    <binding name="test">
      <security mode="TransportWithMessageCredential" />
    </binding>
  </wsHttpBinding>
</bindings>

The relevant service interface class looks so

namespace AssetManager.ServiceInterface
{
[ServiceContract]
public interface IAssetServices
    { 
        [OperationContract]
        EmployeeDTO CreateNewEmployee(string firstName, string lastName);
    }
}

The actual implementation looks like this

namespace AssetManager.ServiceInterface
{
public class AssetManagerServices : IAssetServices
{

    #region IAssetServices Members

    [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
    public EmployeeDTO CreateNewEmployee(string firstName, string lastName)
    {
    }
 }
}

I am using VS 2010, .net 4, IIS 7 (with following authentications enabled - Anonymous, ASP.NET impersonation, Basic Authentication, Digest Authentication and Windows Authentication). On the root web server in IIS, I clicked ISAPI and CGI Restrictions and allowed access to all extensions (asp.net 4.0 would probably be the relavent one)

My current hurdle is that it says "Metadata publishing for this service is currently disabled" when I browse to the location in IE. This also doesn't let me add service references.

As a final note, surely doing windows impersonation shouldn't be this difficult. What is the suggested way of doing impersonation for web services using WCF? In the asp.net world, it was as simple as adding <authentication mode="Windows"/> and <identity impersonate="true"/>

Answer 1

If you are using Transport level security, then it will be using the https protocol, not http.

You need to set

<serviceMetadata httpsGetEnabled=true />

(You currently only have httpGetEnabled).