Reputation: 22466
WCF Custom Authentication: Impersonate Windows Account for duration of request
for a customer, I need to implement the following scenario:
- User accounts are stored in a database. The list contains both Windows authenticated accounts and SQL Server authenticated accounts. Passwords are not stored in the database (for windows authenticated accounts, the windows system is used for validation of the credentials, SQL authenticated accounts are validated by the SQL server)
- A WCF service is created that users authenticate against using a custom authentication provider in order to be able to handle both Windows and SQL accounts. So both username (Domain\Username or just username) and password are available at the service.
- There already is a custom API that contains a class that encapsulates the connection handling to the database server. In case of a Windows account I provide a connection string to the class that uses integrated security. In case of a SQL account I build a connection string containing username and password of the SQL account. It would be convenient to create an object of the class at the beginning of the request and dispose of it when the request ends.
- For the Windows account scenario to work, I want to impersonate the Windows account for the duration of the request.
What I am looking for is a way to implement the impersonation in one place instead of each service method separately.
How can I implement this in the service?
Thanks for your help,
Markus
Upvotes: 0
Views: 1102
Answers (2)
Reputation: 495
Actually this link gives the answer: ServiceAuthorizationBehavior.ImpersonateCallerForAllOperations
A Snippet:
For details, including how impersonation is performed when using Allowed together with the ServiceAuthorizationBehavior.ImpersonateCallerForAllOperations property, see Delegation and Impersonation with WCF and How to: Impersonate a Client on a Service.
Below is the literal link.
Upvotes: 0
Reputation: 3337
Perhaps this example can get you on the way: taken from here
public class HelloService : IHelloService
{
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string Hello(string message)
{
WindowsIdentity callerWindowsIdentity = ServiceSecurityContext.Current.WindowsIdentity;
if (callerWindowsIdentity == null)
{
throw new InvalidOperationException
("The caller cannot be mapped to a Windows identity.");
}
using (callerWindowsIdentity.Impersonate())
{
EndpointAddress backendServiceAddress = new EndpointAddress("http://localhost:8000/ChannelApp");
// Any binding that performs Windows authentication of the client can be used.
ChannelFactory<IHelloService> channelFactory = new ChannelFactory<IHelloService>(new NetTcpBinding(), backendServiceAddress);
IHelloService channel = channelFactory.CreateChannel();
return channel.Hello(message);
}
}
}
Upvotes: 1
Related Questions
- WCF client authentication on server side
- How can I authenticate using client credentials in WCF just once?
- WCF Custom Authentication using UserNamePasswordValidator
- WCF custom auth using session id
- Custom WCF authentication with System.ServiceModel.ServiceAuthenticationManager?
- WCF custom operation based authentication
- WCF custom authentication - Token
- How to require impersonation on a WCF service and set credentials from within the service?
- How to implement a custom authentication mechanism for a WCF Web Service
- Impersonation WCF