2

I've seen through the examples for impersonation but I'm still having issue.

Some details of the structure:

ASP.net: Windows authentication
WCF: hosted in IIS, currently working using allow anonymous user

What I want to achieve is to allow the authenticated Windows login to be passed to the WCF for access control like blocking anonymous users from trying to call the service.

When using the ASP.net application, if the computer is logged in as administrator, but fails at Active Directory as it is not a defined user under the AD, a popup by the browser will prompt for the userid and password.

When prompted, user will then enter the correct user id and password corresponding to the AD. Hence, login passed.
But when I passed the window authentication credential to WCF using WCF's impersonate, it shows me as administrator instead of the ASP.net authenticated user information.

What should I do to get the correct ASP.net authenticated user information instead of what the user login in Windows.

Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
C_Rance
  • 661
  • 12
  • 25

1 Answers1

4

In your ASP.Net application you have to set <identity impersonate="true"/> in your web.config.

Then you would have to add impersonation to your call to the WCF service with something like this inside the ASP.Net app:

using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
    WebClient client = new WebClient
       {
        Credentials = CredentialCache.DefaultNetworkCredentials
       };
    string result = client.DownloadString("http://someserver");
}

Also check out patterns & practices: WCF Security Guidance for a step by step tutorial on how to add impersonation on WCF calls from a web app.

Mikael Svenson
  • 39,181
  • 7
  • 73
  • 79
  • voted u up as at least this is different from what I have been seeing so far. Won't be able to test out until at least tomorrow. So to confirm, the identity impersonate=true is to be added at the ASP, not the WCF? But I did try at ASP once, failed for me. What I did was using operationalContext. SO possible to explain how different is that from yours? – C_Rance Apr 11 '11 at 15:26
  • You need to turn on windows auth on the web app, and use impersonate=true. This will allow you to impersonate a call over to the wvf service from the asp.net site. You might also have to make sure you are using kerberos in your domain, and not just NTLM. – Mikael Svenson Apr 11 '11 at 19:39
  • Web App wise definitely turned on windows authentication. OK I go try maybe tonight if I have the time – C_Rance Apr 12 '11 at 01:06
  • Thanks, it helped for this part of the question I'm asking for. But I noticed that a unauthenticated user can also call the WCF service as long as I pass in Credentials = CredentialCache.DefaultNetworkCredentials. Anyway to prevent this? WCF has already set to window authentication + disallow anonymous – C_Rance Apr 17 '11 at 01:51
  • From the docs: "The credentials returned by DefaultNetworkCredentials represents the authentication credentials for the current security context in which the application is running. For a client-side application, these are usually the Windows credentials (user name, password, and domain) of the user running the application. For ASP.NET applications, the default network credentials are the user credentials of the logged-in user, or the user being impersonated." Do you have form/windows login on your web app, and impersonation? – Mikael Svenson Apr 17 '11 at 18:56
  • @Mikael, I have not tried with impersonated, but I assume that it should show me the account that was used to run the application pool? For web app, it was window authenticated, same goes for WCF. But in terms of window authenticated for WCF, it only prompt me to authenticate when I right click the service and view in browser. If I just call it from a console program, any tom dick and harry who is not in the AD will still be able to call the methods – C_Rance Apr 18 '11 at 06:02