.NET Framework Developer Center >
.NET Development Forums
>
Claims based access platform (CBA), code-named Geneva
>
Doing ActAs with Geneva Server without a boostrap token
Doing ActAs with Geneva Server without a boostrap token
- I’m in the middle of porting an ASP.NET web application. The web application heavily relies on doing client-side javascript invocation of ASP.NET asmx-based services.Imagine this scenario. The user logs into a passive ws-fed ASP.NET-based web application. The application produces rich client-side controls that call directly from the browser to ASMX-services in the application. The calls unfortunately are not AJAX calls since that would work just fine with the FedPassive cookies being transfered. Instead the calls are using windows authentication down to the ASMX-based services.The thing is that these ASMX-services called from the client-side browser need to call Geneva Framework-based services acting as the caller. The problem for me however, is that I can’t seem to figure out how to do proper act as without having an actual bootstrap token to attach to the requests. The only solution I can see is to do traditional constrained delegation on the service and create a new ”strong” kerberos token and then simply run as the user and use windows authentication against Geneva Server and get a token that way.I’d really really like to NOT have to use constrained delegation though since it’s a pain to set up and we’re talking about 7 actual web applications with many many services that would have to use this logic. Also, there’s a problem with this since I need the user’s UPN to do it and the users are coming from different forests that trusedt by the application’s domain. With just the user’s logon name it becomes tedious to work out the UPN.What I’d like to know is if there’s a way to do delegation against Geneva Server when all I have is the user’s logon name (the one I get from windows authentication)?
Answers
- I don't get this part:" The calls unfortunately are not AJAX calls since that would work just fine with the FedPassive cookies being transfered. Instead the calls are using windows authentication down to the ASMX-based services."Are the ASMX services in a different app? Otherwise the fed cookie should just flow with the calls, no?
Dominick Baier | thinktecture | http://www.leastprivilege.com- Marked As Answer byJesper Hvid Saturday, October 31, 2009 4:24 PM
All Replies
- I don't get this part:" The calls unfortunately are not AJAX calls since that would work just fine with the FedPassive cookies being transfered. Instead the calls are using windows authentication down to the ASMX-based services."Are the ASMX services in a different app? Otherwise the fed cookie should just flow with the calls, no?
Dominick Baier | thinktecture | http://www.leastprivilege.com- Marked As Answer byJesper Hvid Saturday, October 31, 2009 4:24 PM
- They're in the same app, but I'm worried that since the cookies are HTTP only they will not flow, but I might be mistaken. I've not tested it yet as I was sure it would fail. Also, would the ASP.NET runtime even translate that correctly when we're talking ASMX? I've never tried it...
- Well - you either configure the cookies to flow of plain http (not recommended) - or use https for the asmx calls.
ASMX is just like ASPX - so yes that would work.
Dominick Baier | thinktecture | http://www.leastprivilege.com - By HTTP only I mean cookies that are not available for client-script. I follow your idea though, and I'm gonna have to test it out and see what's what.
Thanks for the idea thgouh Dominick! - Hi again,
I've done my testing and sure enough you're right Dominick. The cookies are being passed just fine from the client and the Thread.CurrentPrincipal is a ClaimsPrincipal!
Thank for the help once again.
