Windows Identity flow across WCF Web Services tiers

Question

I have a scenario very similar http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1000914&SiteID=1

where I want to get the windows identity of the original caller through intermediate web services to the last tier which is also a web service.

I tried what was suggested in the post above - enableing delegation in the client's app.config using the clientCredentials behavior

<behaviors>
      <endpointBehaviors>
        <behavior name="ServiceClientBehavior">
          <clientCredentials>
            <windows allowedImpersonationLevel="Delegation" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>      
    </behaviors>

 

It still does not work for me.

I tried both Thread.CurrentPrincipal.Identity.Name and System.ServiceModel.OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name; in every tier in order to get the identity of the caller.

Only the first WS can get the domain\username the next tier will get NT Authority\Network Service.

Is there anything else I should do? Anybody done this before?

Thanks

Answer 1

I have the same problem but havnt got any respose till  now...

if you get the answer plz let me know.. as well

here is my post with no answer

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3056571&SiteID=1

Answer 2

ok mate i have got the answer 4 u

Client End point Behavior

<endpointBehaviors>
                <behavior name="MyEndPointBeh">         
                    <clientCredentials>
                        <windows allowedImpersonationLevel="Delegation"/>
            <httpDigest impersonationLevel="Delegation"/>
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>



Make sure that add "Trust this computer for delegation" in Active Directory domain controller

All the services need which needs to impersonate needs to have
[OperationBehavior (Impersonation= ImpersonationOption.Required)]

I am using basichttpbinding & here is the server service.config

 <basicHttpBinding >
        <binding name="MyBasic" allowCookies="true">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>       
      </basicHttpBinding>

Make sure that if the client is the website then it should have "BASIC AUTHEN" on.. It will not work for Integrated Windows Authen on the client web server.

Hope this helps!

Cheers

Answer 3

I don't know if this will help anyone, but I had this problem. The problem was due to the identity setting of the Application Pool that my service was using in IIS. If you set the appropriate identity there, you should be good. In my case, the default was set to NT Authority\Network Service.

Answer 4

Hi

• If you are using Kerberos security, you have to set the SPN to the Machine and the User that raises the pool.

• The identity of the appPool in IIS has to be trusted for delegation (configure this in the Active Directory Users). Maybe you should create a generic user, give him trusted for delagation and point the Identity of the AppPool to that generic user.

• The client config has to have the SAME SPN of the service. It is in the WSDL of the service.

Tips:

I suggest You try to use netTcpBinding first because it is more windows security like, see if you can resolve it first then go to basic.

Look at the event viewer, in application and security log, of each tier to see whats happening.

Try to impersonate programatically on each tier to see what happens with the SAME user in the appPool

(ServiceSecurityContext.Current.WindowsIdentity.Impersonate()

Its quite is tricky. There are a lot of tweak regarding infrastructure configuration and code.

Good Luck

 

---

Alberto Cardoso