I have a client app that calls a WCF service on a different server
in the service I print out the following:
1. ServiceSecurityContext.Current.WindowsIdentity.Name;
2. WindowsIdentity.GetCurrent().Name;
1 above gives me my windows login and 2 gives me the windows login that the server is logged in as
How can i change 2 so that it gives me my windows login (not the login of the server)? Is there a way to force it?
i want to do this because in the WCF service i need to call another service with my original windows login credentials
Check out these links about impersonating the caller's identity in a WCF service - that'll be what you have to do, basically:
WCF security guidance - How To Impersonate the original caller
Delegation and Impersonation with WCF
Setting up WCF to Impersonate Client credentials
Caller impersonation for WCF services
Marc
Related
I have a WCF self-hosted web service (hosted in my Windows service under Local System account). Web methods have [OperationBehaviorAttribute(Impersonation = ImpersonationOption.Required)] attached. NTLM authentication is used.
In my web method's implementation I impersonate the caller and do some stuff. For this I use ServiceSecurityContext.Current.WindowsIdentity. If I don't give proper credentials when calling the web method then web service would return "401 Unauthorized".
When I call the method from Chrome then the windows identity and impersonation work great. I can create a new process under impersonated user, which will spawn in Windows session of that user (different from 0). Firefox also works when I add "localhost" string to network.automatic-ntlm-auth.trusted-uris preference. But when SoapUI calls the method then this windows identity is not set up properly. Web method is called, so NTLM works to a degree, but it just doesn't work properly. A call to ServiceSecurityContext.Current.WindowsIdentity.Owner.IsAccountSid() returns false (Owner is not a user account, but built-in "Administrators" group). Creating a new process while impersonated would create it in Windows session 0.
I've looked into HTTP communication with Wireshark, and NTLM handshake looks different between Chrome and SoapUI. No idea what to do with that information though.
How to make SoapUI to work properly with my web service and NTLM?
While I don't know how to fix the problem with WCF I switched to Web API and OWIN, and now I have a working solution.
I have a c# .net wcf web service on a windows server with iis. I need to know if there is a way to tell the web service that it can accept request only from specific URL.
example:
ApplicationA call ApplicationAwebService = should work
ApplicationB call ApplicationAwebService = should be denied
Right now, they are all on the same server, but I need a solution that works even if they are on a different server (3tier applications).
thanks
If you are using WCF then its possible to use mutual authentication between services and clients. Mutual authentication achieves not only security for the server to accept connections from legit clients but provides the ability for the clients to verify that they are talking to a legit server.
Mutual authentication can be achieved through Message security (Encrypting the data sent between the client and server and vice versa) by using certificates, kerberos (Windows auth), tokens and a username/password configuration.
Mutual authentication can also be achieved in WCF through rolebased authentication, identities, and resource based authentication
Reference from msdn: https://msdn.microsoft.com/en-us/library/ff647503.aspx
I have one WCF service (self-hosted) running under network service account. Service client successfully use all methods hosted by the service. When I change service credentials from network service account to domain user account - service client not able to contact service (timeout expired and exception throws).
Can anyone help me properly configure service/client/domain account?
Thanks.
Are you sure the service actually started while running under your domain account? If you're not sure (I wouldn't be), try navigating to the service URL with a browser by putting the URL into the address bar and hitting enter. If the service is running, it should (if you have mex enabled) show you the WSDL page for the service.
One problem could be that your domain account does not have admin rights (isn't part of the administrators group) on the server where the web service is running. If that's the case, WCF service won't start under that user account since starting a WCF service reserves a port on teh machine, a task that only administrators can do.
I have various bits of functionality implemented in WCF web services which are currently consumed by an Excel client via a local COM-visible library. I wish to implement some of the front-end functionality in a web client. I set up my client proxy using
dataChannel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
ASP.NET impersonation is turned on as is windows authentication (no anonymous). When web services and web site are hosted on the same server there are no issues and the desktop user's credentials are passed from browser to web site to WCF perfectly. However, when web site and web services are hosted on different boxes (same domain, intranet only) I get 401 authentication errors. What am I doing wrong?
It sounds like you are suffering from the kerberos "double hop" problem. By default windows does not pass the kerberos authentication token onto another server so if you have user accesses webserver A and authenticates, webserver A accesses service on webserver B. WEbserver A does not pass the auithentication through to webserver B so you get a 401. I think this article should help you enable kerberos delegation between the web site server and the web service server
I'm having a problem where i want to get the users windows login information sent to IIS then from there sent to a WCF service hosted in a console application and then that service uses the credentials to go to a database and retrieve results.
i'm looking for an example on the web that does EXACTLY this but for the life of me can't find one. I can find a million example that
1. Give general information about WCF, Windows Authentication, Delegation, impersonation etc..
1. Uses the credential to go to a WCF service hosted in IIS and then to the database
2. Uses the credentials to go straight to a WCF service and then to the database
But I can’t an example going first to a regular webpage in IIS, then to a WCF service hosted in a console app and then to the database
Can anyone find this specific scenario?
Can you get current user under IIS? write Login method in WCF and pass that data to WCF service, use sessions, and require that Login should be called first, after all close the session