Impersonation using a self-hosted WCF WebServiceHost gets 'An operations error occurred.' error

0

So I have been banging my head on this one. I have a self hosted WCF service:

var webServiceHost = new WebServiceHost(helloWorld);
webServiceHost.Authorization.ImpersonateCallerForAllOperations = true;

var uri = new Uri(BaseUri + webService.UriDirectory);
var webHttpBinding = new WebHttpBinding(webHttpSecurityMode);
webHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

var sep = webServiceHost.AddServiceEndpoint(IHelloWorld, webHttpBinding, uri);
var webHttpBehavior = new WebHttpBehavior {HelpEnabled = true};
sep.Behaviors.Add(webHttpBehavior);

webServiceHost.Open();

I've gone ahead and applied the following attributes to my method:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public List<GpoItem> GetAll()
{
    using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
    {
        // Execute GPO code here...
        return new List<GpoItem>();
    }
}

To add a bit more context, I basically have a webservice that allows a person to log into a web page, create a GPO on the domain. Running this in a console works fine as I'm running it as the logged in domain user. Running it as a Windows service, throws me an "Access Denied" exception. Thus the need for impersonation. I put in the following altered code above and I get 'An operations error occurred. (Exception from HRESULT: 0x80072020)'. Googling that shows me its a permission issue still. I'm logging into the Web service test environment as an administrator so I have full access, and I've shown I can run it in a console just fine as an administrator. I feel like I'm missing some flag setting some where.

Any ideas?

[Update1] I've tried switching the service from running as local system to network service, but I still get the same issue.

[Update2] When I logon on to the server hosting my WCF service (being ran as local system), and use the browser directly on that machine, everything works fine. It seems to be an issue with delegating the users authentication... still unknown here.

c#
wcf
security
impersonation
self-hosting
asked on Stack Overflow Dec 21, 2011 by ymerej • edited Dec 21, 2011 by ymerej

1 Answer

0

Apparently one can only get an Impersonation-level token from WCF attributes which can only be used for local resource access. Instead I had to use LogonUser API so that I could get a Delegate-level token which has network resource access. [1]

[1] http://msdn.microsoft.com/en-us/library/ff649252.aspx

answered on Stack Overflow Dec 22, 2011 by ymerej

User contributions licensed under CC BY-SA 3.0