none
impersonation in WCF RRS feed

  • Question

  • I want to implement the impersonation in WCF services, earlier these services were called using remoting and we used to use impersonation using <identity impersonate="tue" Username="XXX/YYY" Password="ZZZ" /> in both server and client(ASP.NET) and pass default credentials in remoting proxy.

    Now all the remoting services are moved to WCF so need to implement the impersonation. I should be able to turn on/off impersonation because some clients may or may not have.

    Note: I am using AspNetCompatibilityRequirementsMode as Allowed

    Thanks


    Tuesday, November 4, 2014 9:29 AM

Answers

  • Hi,

    If your service needs to access remote/network resources, you can access the resources on behalf of the original caller or a fixed identity in the following ways:

    • Use Kerberos authentication and delegation. If you use Kerberos to authenticate your users, you can impersonate the original caller by using the techniques described under Impersonation Options below, and then use Kerberos delegation to gain access to network resources as follows: 
      • If your WCF service runs under the Network Service account, configure your computer account in Active Directory to be trusted for delegation.
      • If your application runs under a custom domain account, you must register a service principal name (SPN) in Active Directory to associate the domain account with the HTTP service on your WCF server. You then configure your domain account in Active Directory to be trusted for delegation.
    • Use protocol transition. With this approach, you use a non-Kerberos authentication mechanism, such as client certificates, to authenticate your users, and then use the new WindowsIdentity constructor to obtain a Windows token for the user on the server. Use this approach when you cannot use Kerberos authentication to authenticate your users. Keep in mind the following considerations:
      • If your WCF service runs under the Network Service account, configure your computer account in Active Directory to be trusted for delegation and protocol transition.
      • If your application runs under a custom domain account, you must register an SPN in Active Directory to associate the domain account with the HTTP service on your WCF server. You then configure your domain account in Active Directory to be trusted for delegation and protocol transition.
    • Call LogonUser and request an interactive logon session. An interactive logon session has network credentials that allow you to authenticate against network servers. Use this approach when you cannot use Kerberos authentication to authenticate your users, and when you cannot use protocol transition.

    For more information, you could refer to:

    http://msdn.microsoft.com/en-us/library/ff649252.aspx

    Regards

    Wednesday, November 5, 2014 9:11 AM
    Moderator