how to impersonate client side of wcf call

1

I need some help about WCF and authorization. Currently I have a client which calls as .NET remoting object hosted in a windows service and which is calling a WCF service (with wshttpbinding). The WCF service is using windows authentication with message based security.

The windows service is running with a special account. Once a client call arrives the .NET remoting object the thread.currentprincipal gets set to the principal provided by the client, so that all actions are executed with the credentials from the client. No problem so far, now here comes my current problem: The wcf service should be called with the client user credentials. Afaik WCF uses the WindowsIdentity.GetCurrent to create the authorization information for the call. As Thread.CurrentPrincipal holds the identity I want to use for the call, I thought (hread.CurrentPrincipal.Identity as WindowsIdentity).Impersonate() does the job.

But now I'm getting instead of a WCF security exception this exception: System.ComponentModel.Win32Exception: No credentials are available in the security package

Callstack: at System.IdentityModel.SspiWrapper.AcquireCredentialsHandle(String package, CredentialUse intent, AuthIdentityEx& authdata) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(String package, NetworkCredential credential, Boolean isServer, String[] additionalPackages) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe, ClientCredentials clientCredentials) at System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(SecurityBindingElement sbe, BindingContext context) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.OnOpening() at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpening() at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

thx for any help Martin

EDIT: I made a mistake which leads into this exception, because I forgot to create the channelfactory after the impersonation, but now I get another exception, where I not really sure how to deal with it: System.IO.FileLoadException: Could not load file or assembly 'System.IdentityModel.Selectors, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)

wcf
security
impersonation
asked on Stack Overflow Jul 3, 2009 by Martin Moser • edited Jul 3, 2009 by Martin Moser

1 Answer

2

The user that your windows service is running as, must be allowed to impersonate a user.

There is a right called "Impersonate a client after authentication"

http://blogs.technet.com/askperf/archive/2007/10/16/wmi-troubleshooting-impersonation-rights.aspx

answered on Stack Overflow Jul 3, 2009 by Shiraz Bhaiji

User contributions licensed under CC BY-SA 3.0