none
Impersonation over WCF on Workgroup machines RRS feed

  • Question

  • We have a asp.net web application running in IIS that is a WCF client to a windows service on a remote machine, also running as a local user. The client works, but I am unable to impersonate the user on the windows service. The identity is the account the service is running as, not the user on the browser. All usernames and password are the same on both machines.

    I understand the double hop problem, and I can accomplish this on two domain machines (and works as expected), but I have a requirement to do this on workgroup machines. Is it possible somehow to have the service impersonate the end user in this situation?

    Here is the client configuration
      <system.serviceModel>
        <bindings>
          <netTcpBinding>
            <binding name="netTcpBinding_ViewServices">
              <readerQuotas maxDepth="32" maxStringContentLength="500000" maxArrayLength="100000000" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
              <security mode="Transport">
                <transport clientCredentialType="Windows"  />
                <message clientCredentialType="Windows" />
              </security>  
            </binding>
          </netTcpBinding>
        </bindings>
        <client>
    <endpoint address="net.tcp://webserver2:1223/sample/view" binding="netTcpBinding" bindingConfiguration="netTcpBinding_ViewServices" contract="SharedLibrary.ISampleViewServices" name="netTcpBinding_ViewServices">  
    </endpoint>
        </client>
      </system.serviceModel>

    Here is the service configuration

       <system.serviceModel>
        <bindings>
          <netTcpBinding>        
            <binding name="netTcpBinding_ViewServices" maxReceivedMessageSize="500000">
              <security mode="Transport">
    <transport clientCredentialType="Windows" />
                <message clientCredentialType="Windows" />
              </security>
            </binding>
          </netTcpBinding>
        </bindings>
        <services>
          <service behaviorConfiguration="default" name="SampleService.Channels.Core">
            <endpoint behaviorConfiguration="ViewServicesBehavior" address="view" bindingConfiguration="netTcpBinding_ViewServices" binding="netTcpBinding" contract="SharedLibrary.ISampleViewServices" bindingNamespace="http://www.example.com" >
            </endpoint>
            <host>
              <baseAddresses>
                <add baseAddress="net.tcp://webserver2:1223/sample/" />
              </baseAddresses>
            </host>
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="default">
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
          </serviceBehaviors>
          <endpointBehaviors>
            <behavior name="ViewServicesBehavior">
              <dataContractSerializer maxItemsInObjectGraph="2147483647" />
            </behavior>
          </endpointBehaviors>
        </behaviors>
        <client></client>
      </system.serviceModel>    

    Thanks in advance.

    Thursday, June 1, 2017 8:05 PM

All replies

  • Hi steinj1945,

    To be honesty, I did not find any document which could tell us whether Impersonation is supported or not in WorkGroup machines. All the documents are used to describe Impersonation under Domain.

    I suggest you make a test to help to decide whether it is supported.

    For windows security, it is supported under workgroup, I suggest you make a test with windows security without Impersonation, will it work?

    If it works with windows security, but failed when enable Impersonation. I assume it is not supported.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, June 2, 2017 6:01 AM
  • Hi Edward Z,

    Thanks for the response. I have a sample with impersonation that does not work in work group scenarios, but does in domain environments. The samples does use windows security and works as expected in that regard. I suspected the same in that it may not be possible to impersonate in my situation without some custom code.

    Thanks for your time.
    Friday, June 2, 2017 2:00 PM
  • >> I suspected the same in that it may not be possible to impersonate in my situation without some custom code

    I agree with you. And I suggest you try below code to check whether it could meet your requirement.

    # GetDirectories - Attempted to perform an unauthorized operation

    https://social.msdn.microsoft.com/Forums/vstudio/en-US/f3cb7279-3f1e-4bf1-a732-32b4bc54e9db/getdirectories-attempted-to-perform-an-unauthorized-operation?forum=wcf

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, June 5, 2017 2:06 AM