locked
Impersonation problem RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi:

        I have a WCF service use basci auth, and call second WCF service using wsHttpBinding default settings. my client is a subclass of ClientBase<>

    using(OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Impersonate())

    {

       myclient.GetData("0");

    }

    after the Impersonate() was called, I can see the WindowsIdentity.GetCurrent changed to caller's identity, but myclient still use ApplicationPool's identity talk to second service,

    any ideas?

    Thanks

    Friday, July 6, 2012 6:49 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    You are probably violating the 2-hop rule.

    If a client sends credentials to a service on machine A which then impersonates the client, and then machine A calls a service on machine B, you will see that machine B does not receive any client credentials from the service on A even though when you debug your service you will see that the impersonation is working as intended.

    By default, active directory domains do not allow computers to propogate credentials across the network.  You need to grant permissions to machine A to delegate credentials.  You will need to be a domain administrator to assign those privileges.

    Evan


    • Edited by Evan Machusak Saturday, July 7, 2012 12:59 PM
    • Proposed as answer by webJose Saturday, July 7, 2012 3:32 PM
    • Marked as answer by LeoTang Friday, July 13, 2012 9:52 AM
    Saturday, July 7, 2012 12:58 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Because both of your service is running under App Pool ... so it is overwritten by app_pool's user creadentials. Because in the second call it is not client to service, it is service to service and your service is running under the context of AppPool's user.

    You need to set up the client credential type instead of Impersonation

    http://msdn.microsoft.com/en-us/library/ms732391.aspx

    Tanvir Huda Application Architect/Consultant http://thetechnocrate.wordpress.com/

    Friday, July 6, 2012 6:57 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Tanvir:

        Did you mean a WCF service cannot call an other WCF service on behalf of the client if both WCF service are hosted in IIS?

    Thanks

    Saturday, July 7, 2012 3:40 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You are probably violating the 2-hop rule.

    If a client sends credentials to a service on machine A which then impersonates the client, and then machine A calls a service on machine B, you will see that machine B does not receive any client credentials from the service on A even though when you debug your service you will see that the impersonation is working as intended.

    By default, active directory domains do not allow computers to propogate credentials across the network.  You need to grant permissions to machine A to delegate credentials.  You will need to be a domain administrator to assign those privileges.

    Evan


    • Edited by Evan Machusak Saturday, July 7, 2012 12:59 PM
    • Proposed as answer by webJose Saturday, July 7, 2012 3:32 PM
    • Marked as answer by LeoTang Friday, July 13, 2012 9:52 AM
    Saturday, July 7, 2012 12:58 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I support Evan's answer.  This looks like Delegation to me.  The Windows account running the first WCF service needs to be trusted for delegation in Active Directory for this to work.

    Unless the two WCF's are in the same server?  I don't know if in this case this is not considered Delegation.  It probably is delegation too, I just don't remember dealing with this scenario before so I am currently unsure.

    Jose R. MCP
    Code Samples

    Saturday, July 7, 2012 3:32 PM