CODEWITHSUNDEEP
c#wcfimpersonationdelegation
McArthey
McArthey

Reputation: 1646

WCF Service using WindowsIdentity? Directory access permissions

I have a WCF Service that is using Impersonation. I have verified that the correct Identity is being used through the following method that I added to my service for purposes of debugging.

    [OperationBehavior(Impersonation = ImpersonationOption.Required)]
    public AuthUser GetUser()
    {
        AuthUser user = new AuthUser();
        user.UserName = WindowsIdentity.GetCurrent().Name;
        return user;
    }

Without specifying the [OperationBehavior] I receive NT AUTHORITY\NETWORK SERVICE, as I'd expect. With the attribute I see the user returned that I expect DOMAIN\DOMAINUSER.
The service is currently still returning an error that it does not have access to perform file operations in the following line: 

FileStream fs = new FileStream(filename, FileMode.Create,FileAccess.Write);

I have verified that the directory has Full Access for the domain user through checking the Active Directory groups and memberships.

I have defined <identity impersonate="true" /> in the web.config of the service and have defined this in the client-side code:

        client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation

If relevant, this is my service-side binding:

        <wsHttpBinding>
            <binding name="default" maxReceivedMessageSize="200000">
                <security mode="Message">
                    <message clientCredentialType="Windows" />
                </security>
            </binding>
        </wsHttpBinding>

Anonymous access is enabled in IIS as I'm letting WCF handle the authentication.

Upvotes: 0

Views: 2374

Answers (1)

user957902
user957902

Reputation: 3060

Since the file your are trying to create is on a Network share, the impersonation is trying to make two network hops. Once from the client to the WCF Service, and the next from the WFC sercvice to the network share. By default this is not allowed by impersonation. Its a policy that has to be changed in the Active Directory. Try writing to a location on the local file system where the WCF service is and it should work.

Here is a link to the MSDN details http://msdn.microsoft.com/en-us/library/ff649252.aspx and this post may help you Impersonation and Delegation in ASP.NET

Upvotes: 1

Related Questions