locked
WCF Passing client credentials from website to WCF Service hosted on another server RRS feed

  • Question

  • Hi,

    currently have some issues with a Website and WCF Service which are hosted on different servers, our goal was on the website to get the Authenticated User, which is no problem and then to pass on those Credentials to the WCF Service hosted on another server so that it could do a AD Lookup to see if that User has access to an AD Group, I guess our aim was that this way anybody wanting to print barcodes would be able to re-use the service as long as they provided the standard Windows Authenticated User credentials in their App.

    So question is how can I configure WCF Client/Server so that we can pass the Authenticated User Credentials to the 2nd server so that it can verify their AD Group membership ? Inititally it failed because Delegation was not setup, but that was fixed and now that is working, however we want to turn off Windows Impersonation, we just want to be able to set the Credentials of the Current User.

    This is the current web.config section for the Service we are hosting

     <basicHttpBinding>
    <binding name="BasicHttpEndpointBinding">
    <security mode="TransportCredentialOnly">
    <transport clientCredentialType="Windows" />
    </security>
    </binding>
    </basicHttpBinding>

    For the client it is set as follows

              <security mode="TransportCredentialOnly">

                <transport clientCredentialType="Windows" />

                <message clientCredentialType="UserName" algorithmSuite="Default" />

              </security>

     

    So is there something I need to do in code to pass on those Credentials at the time I make the call to the service ?

     

    Windows Impersonation turned on it works ok, but we have been told they don't want to leave that on, so I mean I could use some
    impersonation code, but that just seems wrong, I thought this could be done with WCF configuration, just not sure what needs to
    be done and where ?

     

    thanks

    Michael

    Tuesday, August 16, 2011 3:14 AM

Answers

  • To impersonate the client before calling on the channel, you will use imperative imersonation, as it is demonstrated in the article (calling the Impersonate method).

    The w3wp worker process will still run under the network service identity, but the current thread will assume the identity of the user, just for the period of the service call. After you receive the response, you will revert to the NetworkService identity.


    Please mark posts as answers/helpful if it answers your question.
    Senior Consultant on WCF, ASP.NET, Siverlight, and Entity Framework. Author of Microsoft's Official WCF 4 Course. Co-author of the Microsoft HPC/Azure burst whitepaper.
    Visit my blog: http://blogs.microsoft.co.il/blogs/idof
    • Marked as answer by Yi-Lun Luo Monday, August 22, 2011 9:08 AM
    Thursday, August 18, 2011 2:26 PM

All replies

  • From MSDN:

    To delegate to a back-end service, a service must perform Kerberos multi-leg (SSPI without NTLM fallback) or Kerberos direct authentication to the back-end service using the client’s Windows identity. To delegate to a back-end service, create a ChannelFactory and a channel, and then communicate through the channel while impersonating the client.

    http://msdn.microsoft.com/en-us/library/ms730088.aspx

    As far as I know, there's no option to delegate without first impersonating.

     

    As for the impersonation, you can impersonate the client only when calling the other service, and return to your original identity afterwards.

    See the link above for the imperative impersonation model


    Please mark posts as answers/helpful if it answers your question.
    Senior Consultant on WCF, ASP.NET, Siverlight, and Entity Framework. Author of Microsoft's Official WCF 4 Course. Co-author of the Microsoft HPC/Azure burst whitepaper.
    Visit my blog: http://blogs.microsoft.co.il/blogs/idof
    • Proposed as answer by Cecil du Toit Tuesday, August 16, 2011 9:55 AM
    Tuesday, August 16, 2011 6:50 AM
  • Thanks for the response Ida, I have read through that article and for the most part I think I get what is going on, I know we have the Delegation working because I have been told by operations it now works, BUT, my issue now is that I have been told they don't want to let us use Impersonation on the WebApp, e.g <identity impersonate='false' /> so the WebApp is going to be running as Network Service, so I will still have the Client Credentials because we are using Windows Authentication.  What are my options for getting those Credentials to the Service. So the bit I am struggling with is your last sentence " To delegate to a back-end service, create a ChannelFactory and a channel, and then communicate through the channel while impersonating the client."

    While impersonating the client, does this mean Run some code while using standard impersonation techniques ?? Or is there a mechanism to do this through WCF Configuration ? Or have I missed something in the linked article ?

    Thursday, August 18, 2011 12:09 AM
  • To impersonate the client before calling on the channel, you will use imperative imersonation, as it is demonstrated in the article (calling the Impersonate method).

    The w3wp worker process will still run under the network service identity, but the current thread will assume the identity of the user, just for the period of the service call. After you receive the response, you will revert to the NetworkService identity.


    Please mark posts as answers/helpful if it answers your question.
    Senior Consultant on WCF, ASP.NET, Siverlight, and Entity Framework. Author of Microsoft's Official WCF 4 Course. Co-author of the Microsoft HPC/Azure burst whitepaper.
    Visit my blog: http://blogs.microsoft.co.il/blogs/idof
    • Marked as answer by Yi-Lun Luo Monday, August 22, 2011 9:08 AM
    Thursday, August 18, 2011 2:26 PM
  • Hi Ido,

    thanks for your replies, I have been working on something else, but have come back to this Problem, and yes, all seems to be working well, am able to Impersonate the User from the website and get the correct credentials, so I thought I had everything working, the only issue I seem to have now is, we do one last check to see if the person belongs to an AD Group. I am running the WCF service in ASPNet compatibility mode and have set the Service to allow this, so I am able to get the Current User from the HttpContext, however I seem to be getting Unauthorised access when I perform the User.IsInRole passing in the AD Group name, have tried both Network Service and also running as a domain service account, but don't seem to be able to perform the Role Check, is there anything simple I am missing to get this working ? Otherwise I will keep plugging away.

    I only get the following error, "Attempted to perform an UnAuthorised Operation" and in the Secvice Security Context I only get back the SID's I don't get the actual Group names.

    I know this is not related to the original issue, just thought you might know I am also talking to our I.T guys here as well.

    Thank you very much though for your previous respones, really helped me!

    thanks
    Michael

    • Edited by Michael D Pine Friday, August 26, 2011 5:57 AM Provide additional information
    Friday, August 26, 2011 5:48 AM
  • Are you able to use the IsInRole when you are in the asp.net application?

    Have you tried checking with your IT that the domain user you used has permissions to query the AD?


    Please mark posts as answers/helpful if it answers your question.
    Senior Consultant on WCF, ASP.NET, Siverlight, and Entity Framework. Author of Microsoft's Official WCF 4 Course. Co-author of the Microsoft HPC/Azure burst whitepaper.
    Visit my blog: http://blogs.microsoft.co.il/blogs/idof
    Sunday, August 28, 2011 4:35 AM
  • Yeah I was pretty sure I asked that, but will check with them when I am back in there on Wednesday :)
    I believe one of the key features of the service accounts is to query AD, but you never know might have been forgotten, so I will double check that, pretty sure from memory because I am not at that client until Wednesday was that I had the same issue with IsInRole.... i.e it would return false :(

    But that is ok, thanks for all your help on this thread, will consider this thread answered.

     

    regards
    Michael

    Monday, August 29, 2011 9:24 AM
  • Hi Michael,

    Could you pls provide the steps / code that resolved your issue? I am also facing the same issue. Probably it would help me.

    Thanks,

    Meeram


    meeram395

    Friday, December 14, 2012 2:44 AM