none
Impersonation in internet application scenario RRS feed

  • Question

  • Hi,

    In Programming WCF services 3rd edition by Juval Lowy, he mentions this in Security chapter, Internet application scenario:

    "The main difference between an intranet application and an Internet application that both use Windows credentials is that with the latter the client cannot dictate the allowed impersonation level, and the host can impersonate at will. This is because WCF will assign TokenImpersonationLevel.Impersonation to the Windows identity of the security call context."

    On what parameters is this statement accounted for OR how can I simulate an internet scenario to verify this on my local environment?

    Thanks!
    Sunday, October 5, 2014 1:45 PM

All replies

  • Hi,

    About Security in WCF and how Intranet application Internet application support the security aspects of transfer security etc., you could try to refer to the link below:

    http://msdn.microsoft.com/en-us/library/orm-9780596521301-02-10.aspx

    Regards

    Tuesday, October 7, 2014 3:25 AM
    Moderator
  • Hi Shawn,

    I'm afraid but if you read my query, I am actually quoting from the same book!

    Expecting precise answer to the question raised.

    Thanks!

    Deepak Agarwal.

    Wednesday, November 12, 2014 3:10 PM
  • On what parameters is this statement accounted for OR how can I simulate an internet scenario to verify this on my local environment?

    You are never going to be in a situation where you need to implement it. Therefore, you should just leave it alone. Your local environment is the Intranet. So test whatever you are trying to do behind the protection of a router and the Local Area Network.  They are never going let you do this on a hosting Web provider's Web server.

    And if you expose your machine running IIS, then you are doing nothing but exposing a machine on the public Internet that is hack-bait on the Internet, the machine would be used as a jumping off point for a hacker to attack networks and leaving you holding the bag as law enforcement knocks on your front door.  

    Thursday, November 13, 2014 5:17 AM
  • Ok. Thanks. This essentially means in internet scenarios, services can impersonate client to access resources at will ignoring any restriction defined on client side. Just have to accept it with no way of trying it out and see in action by myself.

    Thursday, November 13, 2014 5:50 AM
  • Ok. Thanks. This essentially means in internet scenarios, services can impersonate client to access resources at will ignoring any restriction defined on client side. Just have to accept it with no way of trying it out and see in action by myself.

    No that's not how it works. If the service is facing the public Internet, then the cleint had better know the user-id and psw to login to the WCF Web service and use it, which is most likely going to be in a HTTPS communication session between WCF client and WCF service to protect the transmission of sensitive data, like user-id and psw.

    99.9 precent of the time, a client is using anonymous login on a front-end Web server accessing solutions on the UI front-end Web server facing the public Internet. The front-end application can be a WCF-client to a WCF Web service or non Web service on s back-end server machine that's on the protected LAN behind a network firewall. The WCF service is going to be using specific user credentials known on the protected LAN on the behalf of the anonymous user using a Web application on the front-end Web server.

    Thursday, November 13, 2014 2:59 PM