none
How to enable impersonation?

    Question

  • I have configured my service for windows authentication, and I would like to impersonate the windows account when queries are executed against my entity model.  I have tried adding <serviceAuthorization impersonateCallerForAllOperations="true"/> to my webconfig but I get the error "The service operation 'ProcessRequestForMessage' that belongs to the contract with the 'IRequestHandler' name and the 'http://tempuri.org/' namespace does not allow impersonation.".  I also looked into wrapping DataService<T> so that I could add the servicemodel attributes to require impersonation but unfortunately IDataService is internal.

    Wednesday, June 10, 2009 5:53 PM

Answers

  • I think that the answer is "YES", but do you have this in your webconfing?

    <
    system.web
    <identity impersonate="true"/> 
     </system.web>


    And try to decorate your method with this attribute:
     [OperationBehavior(Impersonation = ImpersonationOption.Required)]


    or

     [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]


    You must have this line in your webconfig: <serviceAuthorization impersonateCallerForAllOperations="true"/>


    Bye :)

    • Marked as answer by Brian_Foster Friday, June 12, 2009 1:41 PM
    Friday, June 12, 2009 9:41 AM

All replies

  • I think that the answer is "YES", but do you have this in your webconfing?

    <
    system.web
    <identity impersonate="true"/> 
     </system.web>


    And try to decorate your method with this attribute:
     [OperationBehavior(Impersonation = ImpersonationOption.Required)]


    or

     [OperationBehavior(Impersonation = ImpersonationOption.Allowed)]


    You must have this line in your webconfig: <serviceAuthorization impersonateCallerForAllOperations="true"/>


    Bye :)

    • Marked as answer by Brian_Foster Friday, June 12, 2009 1:41 PM
    Friday, June 12, 2009 9:41 AM
  • Thanks Vincente,

    I should have mentioned that I was hoping for code-level impersonation support.

    The web.config entry of

    <system.web
    <identity impersonate="true"/> 
    </system.web>

    enables IIS level impersonation rather than code level impersonation, and therefore does not require any wcf service level (or config level) adornments for impersonation.  But it does indeed work.  Thanks for the response.

    -Brian
    Friday, June 12, 2009 1:41 PM
  • Adding this to my web.config didn't work for me. I still get the following error when the service is opened:

    The service operation 'ProcessRequestForMessage' that belongs to the contract with the 'IRequestHandler' name and the 'http://tempuri.org/' namespace does not allow impersonation.

    Any other ideas?

    Tuesday, July 31, 2012 2:36 PM
  • The IRequestHandler has to be configured to allow impersonation

    Configure the behavior the following:

    <behavior>
      <serviceCredentials useIdentityConfiguration="true" />
      <serviceAuthorization principalPermissionMode="Always" impersonateOnSerializingReply="true" />
    </behavior>

    See also http://stackoverflow.com/questions/17384002/wcf-data-service-with-wif-4-5-principal-not-set-for-post-requests


    • Edited by achibus Thursday, March 27, 2014 5:32 PM
    Thursday, March 27, 2014 5:31 PM