tags:

views:

1587

answers:

1
+1  Q: 

WCF:Relationship between NetworkCredential and Impersonation

I have a WCF service hosted in IIS 7 in the default app pool in Integrated mode with anonymous access disabled and windows Authentication enabled.

I have put the following attribute on the method implementation for my interface.

[OperationBehavior(Impersonation = ImpersonationOption.Required)]

If I do not supply network credentials in the call to my service I get the expected behavior in that the following are true:

ServiceSecurityContext.Current.WindowsIdentity.Name = myDomain\myUser
ServiceSecurityContext.Current.PrimaryIdentity.Name = myDomain\myUser
Thread.CurrentPrincipal.Identity.Name = myDomain\myUser
I can connect to a database on a remote system using SSPI and myDomain\myUser authentication.
WindowsIdentity.GetCurrent().Name = myDomain\myUser
I can use Thread.CurrentPrincipal.IsInRole() to verify the user is in a role.
I can use WindowsIdentity.GetCurrent().Groups to retrieve a list of groups for the user.

But if I supply network credentials using the following:

var networkCredential = new NetworkCredential(user, pwd, dom);
base.ClientCredentials.Windows.ClientCredential = networkCredential;
base.ClientCredentials.Windows.AllowNtlm = true;      
base.ClientCredentials.Windows.AllowedImpersonationLevel 
          = System.Security.Principal.TokenImpersonationLevel.Delegation;

Then all of the above is the same EXCEPT the database connection and two of the groups listed are different. The connection to the database is being made using the NT Authority\Anonymous login user. Using the NetworkCredentials puts the user in the NT Authority\Network group rather than NT Authority\Interactive and additionally the LOCAL group is removed.

My goal is to make the connection to the database using the credentials passed by NetworkCredential, any advice would be appreciated.

Shane Holder

A: 

Sounds like typical double-hop issues.

I am guessing in your working scenario that Kerberos is getting used by default which will get you a Delegation token on the remote server.

In the second scenario it is not using Kerberos because of the supplied user/pass and that does not support getting a Delegation token.

The only other way to get a Delegation token on the remote server that I am aware of is to use Basic Authentication (with SSL), a complete pain.

Concerning the credentials double hop issue

Rob McCready  2009-03-26 18:18:13
I added reviewing the WindowsIdentity.GetCurrent().AuthenticationType and it is Kerberos in both scenarios. Also when sending the credential I am setting the AllowedImpersonationLevel to Delegation expecting that I would be able to delegate.
ShaneH  2009-03-26 18:35:24
cast the Thread.CurrentPrincipal.Identity to a WindowsIdentity and check ImpersonationLevel on the server
Rob McCready  2009-03-26 19:06:28
The ImpersonationLevel is Impersonation in both cases.
ShaneH  2009-03-26 21:02:18
If both are only Impersonation Tokens then even the first case would not be able to pass credentials from the middle server to the DB server.
Rob McCready  2009-03-26 23:18:16
I would normally agree, but if they are the same then the behavior should be the same, neither should be able to contact the server. Unless I'm looking at the wrong set of credentials, there are so many places to find IPrincipal that's is's difficult it know which none is used for the DB connection
ShaneH  2009-03-27 02:25:47
Did you ever get this working?
Rob McCready  2009-04-07 22:08:31

related questions

What is the difference: LoadUserProfile -vs- RegOpenCurrentUser
Impersonating users to access hives - various methods, what are the practical issues?
what user account does my IIS hosted wcf service run under?
Want my WCF service to run under the administrator account
Impersonation and Delegation
asp.net impersonation
Impersonate another user in Visual SourceSafe
ASP.NET Impersonation and SQL Server Trusted Connection Calls
can log4net be configured to run under its own identity?
System.Diagnostics: How to log using an identity
C#: Load roaming profile and execute program as user
ASP.NET: Impersonate against a domain on VMWare
ASP.NET aspx page code runs impersonated though impersonation is disabled
Need to Impersonate user forAccessing Network resource, Asp.Net Account
Impersonation MFC C++
Exchange Web Services, try to use ExchangeImpersonationType ...
How do I move files from one machine to another using ASP.NET?
Reading hidden share in C#
Calling WMPLib.mediaCollection methods from ASP.NET on IIS return empty lists
Is it possible to impersonate a user without logging him on?
Impersonation in .NET
Can I turn off impersonation just in a couple instances.
Is it possible to unit test a class that makes P/Invoke calls?
Impersonation in IIS 7.0
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights