WCF Service using WindowsIdentity? Directory access permissions

Question

I have a WCF Service that is using Impersonation. I have verified that the correct Identity is being used through the following method that I added to my service for purposes of debugging.

    [OperationBehavior(Impersonation = ImpersonationOption.Required)]
    public AuthUser GetUser()
    {
        AuthUser user = new AuthUser();
        user.UserName = WindowsIdentity.GetCurrent().Name;
        return user;
    }

Without specifying the [OperationBehavior] I receive NT AUTHORITY\NETWORK SERVICE, as I'd expect. With the attribute I see the user returned that I expect DOMAIN\DOMAINUSER.
The service is currently still returning an error that it does not have access to perform file operations in the following line:

FileStream fs = new FileStream(filename, FileMode.Create,FileAccess.Write);

I have verified that the directory has Full Access for the domain user through checking the Active Directory groups and memberships.

I have defined <identity impersonate="true" /> in the web.config of the service and have defined this in the client-side code:

        client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation

If relevant, this is my service-side binding:

        <wsHttpBinding>
            <binding name="default" maxReceivedMessageSize="200000">
                <security mode="Message">
                    <message clientCredentialType="Windows" />
                </security>
            </binding>
        </wsHttpBinding>

Anonymous access is enabled in IIS as I'm letting WCF handle the authentication.

Its not intirely clear, but u are creating the FileStream inside a service method Correct ? — user957902, Oct 06 '11 at 15:16
Yes. To be specific, it is inside a private method which is called by the method defined by the [OperationContract]. — McArthey, Oct 06 '11 at 15:40
Is the file on the same machine where the WCF service is running, or are you trying to access a file on a network share ? — user957902, Oct 06 '11 at 17:31

score 1 · Accepted Answer · edited May 23 '17 at 12:12

1

Since the file your are trying to create is on a Network share, the impersonation is trying to make two network hops. Once from the client to the WCF Service, and the next from the WFC sercvice to the network share. By default this is not allowed by impersonation. Its a policy that has to be changed in the Active Directory. Try writing to a location on the local file system where the WCF service is and it should work.

Here is a link to the MSDN details http://msdn.microsoft.com/en-us/library/ff649252.aspx and this post may help you Impersonation and Delegation in ASP.NET

edited May 23 '17 at 12:12

Community

1
1

answered Oct 06 '11 at 20:32

user957902

3,010
14
18

Thanks for the links, which I've partially read and will complete shortly. One question... If the service is operating as a user via impersonation shouldn't it use those credentials to access the network since it's effectively operating as that user? – McArthey Oct 06 '11 at 22:22
Its operating as that user identity, but not with the same privs as if you had logged on locally at the box. I belive one of the privs that is missing is delegation, so your impersonated thread has no right to pass that id onto antoher box. I think you can turn on user impersonation deligation but it has to be done in the Active Directory. This is for the traditional NTLM security. If you look at the MSND docs, then if you are set up to use kerberos then you get delegation by default. – user957902 Oct 06 '11 at 22:42
Your links and explanations were very helpful. Thanks much. I will probably investigate using the LogonUser API based upon what I've read so far. – McArthey Oct 07 '11 at 13:30

WCF Service using WindowsIdentity? Directory access permissions

1 Answers1