How can i get the WindowsIdentity or WindowsPrincipal of a WCF Claim / SecurityIdentifier (SID)?

Question

I'm trying to allow all users in the Administrators group access through WCF.

internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
    public override bool CheckAccess(OperationContext operationContext)
    {
        base.CheckAccess(operationContext);

        ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
        ClaimSet claimSet = claimSets[0];

        foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.Identity))
        {
            SecurityIdentifier sid = (SecurityIdentifier)claim.Resource;
            NTAccount ntAccount = (NTAccount)sid.Translate(typeof(NTAccount));

            //This line throws an error.  How can i convert a SecurityIdentifier to a WindowsIdentity?
            WindowsIdentity user = new WindowsIdentity(ntAccount.Value);

            WindowsPrincipal principal = new WindowsPrincipal(user);
            return principal.IsInRole(WindowsBuiltInRole.Administrator);
        }
    }
}

score 3 · Answer 1 · answered Jun 24 '09 at 21:06

You have to authenticate. You have an identifier that identifies an account, it's isomorphic with an account name i.e. SID: S-1-5-domain-500 <=> DOMAIN\Administrator. A WindowsIdentity is a user that has been authenticated.

That said, I think the user you're trying to get has already been authenticated and is providing a claim of his/her account identity (SID).

score 1 · Answer 2 · answered Jun 26 '09 at 13:10

JP is correct. The claims provided include the SID of all user groups the user is a member of. Here is our solution.

internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
    public override bool CheckAccess(OperationContext operationContext)
    {
        base.CheckAccess(operationContext);

        ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
        ClaimSet claimSet = claimSets[0];

            //is this a member of the local admins group
            SecurityIdentifier adminsSid = new SecurityIdentifier("S-1-5-32-544");
            foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty))
            {
                if (adminsSid.Equals(claim.Resource))
                {
                    return true;
                }
            }
    }
}

score 0 · Answer 3 · answered Aug 08 '18 at 08:34

We are using a code we found here to create a WindowsIdentity based on the login name. With a minor modification you can create a similar method that returns a WindowsIdentity based on the SID:

public static WindowsIdentity GetWindowsIdentityBySid(string sid)
{
    using (var user =
        UserPrincipal.FindByIdentity(
        UserPrincipal.Current.Context,
        IdentityType.Sid,
        sid
        ))
    {
        return user == null
            ? null
            : new WindowsIdentity(user.UserPrincipalName);
    }
}

How can i get the WindowsIdentity or WindowsPrincipal of a WCF Claim / SecurityIdentifier (SID)?

3 Answers3