Cilent Impersonation RRS feed

  • Question

  • I am using .Net 4. I have a WCF app working with Self-Tracking Entities against a SQL db. The WCF is using wsHttpBinding.

    My client specifies a behavior

    	<behavior name="NewBehavior0">
    		<windows allowedImpersonationLevel="Impersonation" />

     The endpoint on my client has its behaviorConfiguration set to that behavior.


    My web.config has <identity impersonate="true"/> and the behavior has <serviceAuthorization impersonateCallerForAllOperations = "true"/>

    The functions exposed through my web service are decorated with the tag [OperationBehavior(Impersonation = ImpersonationOption.Required)]

    using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
    	using (var entities = new MyEntities())
    		//my code for loading entities

     But, it never works.

    If I have anonymous access turned on, I get the exception: "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

    If I have anonymous access turned off, I get the exception:

    "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. "

    and an inner exception of "The remote server returned an error: (401) Unauthorized."

    I put in a hello world function:

    [OperationBehavior(Impersonation = ImpersonationOption.Required)]
    public string HelloWorld()
    	return "Hello, " + WindowsIdentity.GetCurrent().Name + ".";

     This returns "Hello, Domain\UserName."

    What is the deal?

    Friday, December 3, 2010 10:08 PM


All replies

  • Saturday, December 4, 2010 7:11 PM
  • I am trying to work with authentication. I have Windows Integrated Authentication turned on on my web service, and I am trying to get the client credentials to pass through the WCF service so I can leverage Windows Authentication on my SQL Server database.

    As for http://msdn.microsoft.com/en-us/library/ms751513.aspx, you can see above that I have c

    client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation; 

    set in my config as

    	<behavior name="NewBehavior0">
    		<windows allowedImpersonationLevel="Impersonation" />

    and my functions exposed through my service have been decorated with the tag [OperationBehavior(Impersonation = ImpersonationOption.Required)]

    I didn't set

    Also as I said before, I believe impersonation is working because I get the appropriate repsonse from my HelloWorld function. My issue is the appropriate credentials are not getting passed to SQL Server when anonymous access is on, and the service calls don't work with anonymous access turned off.

    I have already gone through both of those articles before my original post. Do you think there is something I missed?

    Saturday, December 4, 2010 7:57 PM
  • Hello, have you configured the binding to use TransportCredentialOnly? Something like:

                <security mode="TransportCredentialOnly">
                  <transport clientCredentialType="Windows"/>

    Also make sure you have set the Windows credential on the client side:

                clientProxy.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;



    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, December 6, 2010 7:10 AM
  • Does that work with wsHttpBinding?
    Monday, December 6, 2010 2:31 PM
  • Yes, it should work.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, December 7, 2010 12:57 AM
  • I get a run-time error with that configuration.

    In any case, I think it was already working from the beginning. My problem is not with impersonation working with WCF. My problem is getting the client credentials to work with entity framework and sql server. My sql server allows domain users, but my entity model was created using a different login.

    Tuesday, December 7, 2010 3:16 PM
  • Is the SQL Server database on the same machine as the WCF or not? If not, you may be runnin into a double hop issue. You can refer to http://blogs.msdn.com/b/securitytools/archive/2009/11/04/double-hop-windows-authentication-with-iis-hosted-wcf-service.aspx for a solution.
    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Yi-Lun Luo Friday, December 10, 2010 9:08 AM
    Wednesday, December 8, 2010 5:54 AM
  • It is not. I'll give your link a look.

    Wednesday, December 8, 2010 4:55 PM