5 Replies - 10033 Views - Last Post: 01 July 2012 - 04:02 PM Rate Topic: -----

#1 idq   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 16
  • Joined: 19-September 11

impersonating non windows clients in a wcf service

Posted 25 June 2012 - 01:59 AM

Hello,

I have a question about how to do windows impersonation in a wcf service accessed by a non windows client. To clarify my problem. There is an sql database I need to get data from which uses windows integrated security (Integrated Security = SSPI). Also the database has roles configured so depending on which user connecting he/she will have access to a different scope. My idea is to have a wcf service which access the sql database using windows impersonation but is this doable when the clients that are connecting to the wcf service are not windows clients?

Is This A Good Question/Topic? 0
  • +

Replies To: impersonating non windows clients in a wcf service

#2 Curtis Rutland   User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 5106
  • View blog
  • Posts: 9,283
  • Joined: 08-June 10

Re: impersonating non windows clients in a wcf service

Posted 25 June 2012 - 08:04 AM

Well, my first question is: do the non-windows clients somehow relate to your domain accounts you want to impersonate? If so, then you can easily impersonate these accounts, assuming you have the password for them. If not, then I'm not sure how you'd go about choosing a windows account when you need to impersonate.

Another option is to have your service run in an app pool running as a privileged user, and including the access logic in your WCF service instead of at the DB level.
Was This Post Helpful? 0
  • +
  • -

#3 idq   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 16
  • Joined: 19-September 11

Re: impersonating non windows clients in a wcf service

Posted 25 June 2012 - 12:41 PM

View PostCurtis Rutland, on 25 June 2012 - 08:04 AM, said:

Well, my first question is: do the non-windows clients somehow relate to your domain accounts you want to impersonate? If so, then you can easily impersonate these accounts, assuming you have the password for them. If not, then I'm not sure how you'd go about choosing a windows account when you need to impersonate.

Another option is to have your service run in an app pool running as a privileged user, and including the access logic in your WCF service instead of at the DB level.


Yes they are, ie the user will be able to type in domain\username and password in the client.
Was This Post Helpful? 0
  • +
  • -

#4 Curtis Rutland   User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 5106
  • View blog
  • Posts: 9,283
  • Joined: 08-June 10

Re: impersonating non windows clients in a wcf service

Posted 25 June 2012 - 01:39 PM

Ah, then this project might be of use to you:

http://www.codeproje...sonating-a-User

I implemented my own client in a very similar manner, as well as an "unimpersonator" that behaved similarly (MS CRM 2011 runs in an app pool using ASP.NET Impersonation, so we needed to "RevertToSelf" to the app pool identity in one section, but impersonate to the user again when we were done), based on this codeproject page.
Was This Post Helpful? 1
  • +
  • -

#5 idq   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 16
  • Joined: 19-September 11

Re: impersonating non windows clients in a wcf service

Posted 28 June 2012 - 06:59 AM

View PostCurtis Rutland, on 25 June 2012 - 01:39 PM, said:

Ah, then this project might be of use to you:

http://www.codeproje...sonating-a-User

I implemented my own client in a very similar manner, as well as an "unimpersonator" that behaved similarly (MS CRM 2011 runs in an app pool using ASP.NET Impersonation, so we needed to "RevertToSelf" to the app pool identity in one section, but impersonate to the user again when we were done), based on this codeproject page.


Thanks, I tried it out and got it to work when self hosting the wcf service in a windows service. But as I need to use IIS as hosting environment I tried a different approach. After a while I got everything to work by using basicHttpBinding with TransportWithMessageCredential as security mode and clientCredentioalType = Basic. Then I could specify impersonation declarative on method level.
Was This Post Helpful? 1
  • +
  • -

#6 Curtis Rutland   User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 5106
  • View blog
  • Posts: 9,283
  • Joined: 08-June 10

Re: impersonating non windows clients in a wcf service

Posted 01 July 2012 - 04:02 PM

Glad that you found a solution and shared it with the community.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1