locked
Impersonation in ADO.Net Data Services in Framework 3.5sp1 RRS feed

  • Question

  • I'm need to be able to impersonate the user when ADO.Net Dataservices connects to the database.  I have setup the site in IIS 6 to only allow Integrated Security, and I've put the following in the web.config

     <authentication mode="Windows" />
     <identity impersonate="true" />

    Right now IIS is running on the same server as SQL, but when I move this to production they will not be the same server, so I'll need to do delegation for the double hop.  I already have that piece working for a handful of straight WCF services running in both the Dev and Production IIS, I just can't seem to get this one service to play.  I've tried a number of things scrounged from the web for an answer but I still only connect to the database as 'Network Service'.  I need to impersonate the user so that the audit features of the database keep working (created by and last update by won't be very meaningful when it's alway 'Network Service'...)

    Any help anyone can give me would be much appreciated.
    Thursday, January 21, 2010 9:20 PM

All replies

  • Hello Jeremy,

     

    Welcome to WCF Data Services forum!

     

    For ADO.NET Data Services impersonation, this blog article is very helpful, http://developers.de/blogs/damir_dobric/archive/2009/12/23/using-of-impersonation-with-dataservices.aspx.   Also, here are two related articles about WCF impersonation for your references,

    http://developers.de/blogs/damir_dobric/archive/2007/10/14/user-impersonation-in-wcf.aspx

    http://developers.de/blogs/damir_dobric/archive/2009/05/15/impersonation-and-reverting-of-identity.aspx

     

    Are these helpful to solve the problem?    If you need any further assistance, please feel free to let me know.

     

    Have a nice day!

     

     

    Best Regards,
    Lingzhi Sun


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

    Monday, January 25, 2010 1:38 AM
    Moderator
  • Hello Jeremy,

     


    How is the problem? 
     

    If you need further assistance, please feel free to let me know.   I will be more than happy to be of assistance.

     

    Have a nice day!

     

     

    Best Regards,
    Lingzhi Sun


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

    Wednesday, January 27, 2010 12:53 AM
    Moderator
  • Sorry for the slow response, I was on-site doing the go-live for this project last week.

    I had actually come across those blogs before posting here.  and I can see from those how to impersonate in a WCF method, and in an ADO.Net Dataservice method, but I don't see how to use impersonation for a ADO.Net Dataservice query.  Am I missing something in the blogs?

    If I'm attempting a simple query like:


    What do I need to change in my Web.Config and/or my .svc file to force impersonation?
    Monday, February 1, 2010 8:01 PM
  • Hello Jeremy,

     

     


    I think this link is for the impersonation in ADO.NET Data Services, http://developers.de/blogs/damir_dobric/archive/2009/12/23/using-of-impersonation-with-dataservices.aspx.  Is it helpful on your scenario?  

     

    Have a nice day!

     

     

    Best Regards,
    Lingzhi Sun


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

    Tuesday, February 2, 2010 8:33 AM
    Moderator
  • The article is just shy of what I'm looking for.  I'm using a LINQ query to get from the server, so if I do a nice simple query like this:

    Uri PASvcUri = new Uri(Properties.Settings.Default.PASvcURI);
    PolicyAdminSvc.PolicyAdminEntities paSVC = new PolicyAdminSvc.PolicyAdminEntities(PASvcUri);

    paSVC.Credentials = System.Net.CredentialCache.DefaultCredentials;

    var pbl = from PolicyAdminSvc.PolicyPayment pb
                               in paSVC.PolicyPaymentList
                          where pb.PolicyID == this.PolicyID
                          select pb;

    I'd like the call to the database to be made as the user.  Like I said, I had this working when IIS and SQL were on the same server, but it's not working when they are on separate servers.  So I have impersonation working, but not delegation for ADO.Net DataService.  I also have a separate WCF Service on the same ISS server pointing at the same SQL server which is working with delegation.

    The article does show how to use impersonation with ADO.Net Dataservice, and how to require delegation for WCF service (a WCF method hosted in the same service as the ADO.Net Dataservices).  But I'm not seeing anything about delegation with ADO.Net Dataservices anywhere.  Is it not supported?
    Tuesday, February 2, 2010 10:12 PM
  • Hi Jeremy,

     

    Oh, I see.   I will consult the product team to check whether the LINQ query impersonation is supported in ADO.NET Data Services.  If I receive any messages, I will get to you as soon as I can.   

     

    Thanks a lot!

     

     

    Best Regards,
    Lingzhi Sun


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

    Wednesday, February 3, 2010 8:59 AM
    Moderator
  • Hi Jeremy,
     What you are running into is a case of user credentials not being persisted across  hops between the IIS machine and the Sql Server.
     We have some other threads which discuss the same issue : 

    http://social.msdn.microsoft.com/Forums/en-US/adodotnetdataservices/thread/d343d4cf-d4b8-4156-83ed-db6b61627239

    To save you the time to wade through that thread : here are the important replies:

    "Take a look at this article for details about the authentication procedure that IIS follows :

    http://support.microsoft.com/kb/264921

    and this article talks about how to troubleshoot issues with Kerberos Authentication .

    http://support.microsoft.com/kb/326985


    DelegConfig is a great tool that helps accurately diagnose Kerberos Authentication failures , you can download it from here :

    http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434 "

    Hope this helps.

    Phani Raj Astoria http://blogs.msdn.com/PhaniRaj
    Thursday, February 4, 2010 6:46 PM
    Moderator
  • I don't think it's a double hop issue.  

    I have 2 services running on this IIS server.  One is a traditional WCF service, the other is an ADO.Net Dataservice.  Both services are in the same project, and as a result are in the same physical folder on the IIS server.  In IIS they are in 2 separate virtual folders because the traditional WCF service is requiring anonymous authentication and the ADO.Net dataservice allows only one authentication type which I've selected as Windows.  Both services are using the same app pool which logs in as Network Service.  Both services are connecting to the same database server and database.

    In my web.config I have the following in the system.web section:
        <authentication mode="Windows" />
        <identity impersonate="true" />
    The IIS server has been enabled for Delegation in active directory for all services.

    Calls to the database from the traditional WCF service impersonate properly and connects as 'Domain\UserName'.  Calls to the database through the ADO.Net Dataservice connect to the database as 'Domain\ServerName$' (which in this case does have permissions to the database).

    Looking in the security event log on the IIS server I can see that I am successfully authenticated through Kerberos Authentication during calls to both services.

    In the endpointBehaiors section I configure the traditional WCF service to use delegation with the following:
            <behavior name="clientEndpointCredential">
              <clientCredentials>
                <windows allowedImpersonationLevel="Delegation" />
              </clientCredentials>
            </behavior>
    
    There must be something similar for the ADO.Net Dataservice since impersonation is working fine in the ADO.Net Dataservice, and Delegation is working fine in the traditional WCF.
    Monday, February 15, 2010 5:09 PM
  • I don't think it's a double hop issue.  

    I have 2 services running on this IIS server.  One is a traditional WCF service, the other is an ADO.Net Dataservice.  Both services are in the same project, and as a result are in the same physical folder on the IIS server.  In IIS they are in 2 separate virtual folders because the traditional WCF service is requiring anonymous authentication and the ADO.Net dataservice allows only one authentication type which I've selected as Windows.  Both services are using the same app pool which logs in as Network Service.  Both services are connecting to the same database server and database.

    In my web.config I have the following in the system.web section:
        <authentication mode="Windows" />
        <identity impersonate="true" />
    
    The IIS server has been enabled for Delegation in active directory for all services.

    Calls to the database from the traditional WCF service impersonate properly and connects as 'Domain\UserName'.  Calls to the database through the ADO.Net Dataservice connect to the database as 'Domain\ServerName$' (which in this case does have permissions to the database).

    Looking in the security event log on the IIS server I can see that I am successfully authenticated through Kerberos Authentication during calls to both services.

    In the endpointBehaiors section I configure the traditional WCF service to use delegation with the following:
            <behavior name="clientEndpointCredential">
              <clientCredentials>
                <windows allowedImpersonationLevel="Delegation" />
              </clientCredentials>
            </behavior>
    
    
    There must be something similar for the ADO.Net Dataservice since impersonation is working fine in the ADO.Net Dataservice, and Delegation is working fine in the traditional WCF.
    Wednesday, February 24, 2010 7:24 PM
  • Hi Jeremy,

     

    I am consulting Phani and the other product team members to see whether they have some ideas on this problem.  Thank you for your patient.
     

     

    Best Regards,
    Lingzhi Sun


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

    Thursday, February 25, 2010 6:42 AM
    Moderator
  • Any ideas?  Using delegation doesn't seem like it should be this hard.
    Monday, March 15, 2010 3:10 PM
  • It's been two months since I first reported this issue, and almost a full month since I last got a response from Microsoft.  Is it possible to use delegation with ADO.Net Dataservices, or is this something that is not supported?
    Monday, March 22, 2010 12:00 PM
  • Hi Jeremy,

    I don't think it is supported in the current version of ADO.NET Data Services.

    -Pam

    Thursday, March 25, 2010 9:49 AM
  • That's my conclusion as well, though I'm inclined to think it's not supported in the next version either or I might have gotten a response indicating that.

    I've started migrating away from ADO.Net Data Services back to old fashioned WCF.  It was a fun experiment, I just wish I had found the show stopper before we spent 6 months developing on it.  

    Thursday, March 25, 2010 1:27 PM
  • Hi Jeremy,

    Based on my research, such a impersonation is not supported in WCF Data Services in VS2010.   Do you think so?

    -Pam

    Monday, March 29, 2010 6:59 AM
  • I would think if it were going to be supported in the next version I would have gotten a response from MS stating that it wasn't supported in this version but is in the next.  So I would guess no.

    Monday, March 29, 2010 7:28 PM
  • I'm encountering the same thing.  Are there any updates from MSFT on this?
    Monday, August 9, 2010 5:34 PM
  • I have the same problem in VS2010/.NET 4.0 - I can't get my DataService<T> to impersonate the caller. I get this as soon as the service host is opened:

    The service operation 'ProcessRequestForMessage' that belongs to the contract with the 'IRequestHandler' name and the 'http://tempuri.org/' namespace does not allow impersonation.

    Any more news on this? We've based our whole services development on the ability to impersonate, and while it's working fine for "regular" WCF services (where we can simply apply an OperationBehavior), our OData service is dead in the water.

    Tuesday, July 31, 2012 2:43 PM