WCF: Learning Impersonation and Delegation
Configure DC:
Please follow link to configure your domain controller.
https://techsthing.com/2012/how-to-create-a-domain-controller-using-the-dcpromo-command/
Add all three boxes (A, B, C) to your new DC.
First Box/Domain Controller/Client box: DCSAURABH
Second Box: DCSAURABH1
Third Box: DCSAURABH2
Architecture:
- User on Box A (DCSAURABH) using IE to browse the web app running on BOX B (DCSAURABH1)
- Web App internally impersonates the credentials to the WCF Service 1 running on same box under different app pool.
- WCF Service 1 from Box B (DCSAURABH1) delegates the credential received from web app to another WCF service 2 running on Box C (DCSAURABH2).
Configure the Domain Controller for delegation:
DCSAURABH is my Domain Controller.
DCSAURABH1 and DCSAURABH2 are two boxes attached to this DC.
DCSAURABH1 is configured for delegating the credentials received from the IE running on client box (DCSAURABH)
Next step is to configure the Web app and two WCF service (WCF1 and WCF2).
Web Application:
IIS Settings:
Client End point:
Client end point Binding:
End point behaviour:
Note:
So the end point behaviour clearly indicates that the web app will impersonate the received credentials to the WCF service 1 running on same box.
WCF service 1 will be responsible for the delegation of these credentials to different box, i.e. Box C where WCF Service 2 is running.
WCF Service1:
IIS Settings:
WCF Service 1 service end point:
Client end point to call WCF service 2:
Client end point binding:
Client end point behaviour:
We are setting allowedImpersonationLevel to “Delegation”.
This will help in delegating the incoming windows token from web app (which came from IE) to the back end WCF service 2 running on third box.
Call to WCF Service 2
WCF Service 2:
IIS Settings
Code:
Note:
Impersonation Option can also be set for the complete service via configuration file from <ServiceAuthorization /> tag inside the Service Behavior attribute.
However this will force us to make sure all method are still explicitly decorated with Token Impersonation Option as "Allowed" or "Required".
https://msdn.microsoft.com/en-us/library/ms730088.aspx
Output:
- User running IE from Client box (DCSAURABH)
- Browsing the web page hosted on DCSAURABH1, which internally impersonates the credentials to WCF Service 1 running on same box.
- WCF Service 1 delegates the credentials to External WCF Service 2 running on DCSAURABH2
- Current log in user on DCSAURBH is “SAURABH/user2”
These steps will make sure you can delegate the john’s identity (SAURABH/user2) to the back end server.
Comments
- Anonymous
August 28, 2012
Good work