How do I get the Windows Identity of the Caller?
This seems like a fairly simple thing, but I cannot find a complete example.
- Service hosted in IIS, running as windows domain user 'S'
- .Net windows forms client running on workstation as logged-in user 'C'
What I want to be able to do is in the service is create a claim set based on user 'C' and then if 'C' has the required claims, execute the service method as 'S' (i.e. not impersonate the caller). The claim set is created based on a custom database. We do not has a membership provider, certificate authority, or any of the usual security and authentication you might expect in an enterprise environment. All I want to do is be able to say that the calling code is executing with the privileges of some user and I just have to trust that the user's workstation hasn't been compromised.
It seems like a very simple request, yet I have not been able to find a complete example demonstrating this very basic scenario (by complete I mean server and client code and server and client config files all in one place and working together).
The code is being developed and tested on Windows XP and will be hosted on Windows Server 2003.
Any help appreciated.
Thanks.
Colin
Thanks for the response. Unfortunately, all that has managed for me is to prevent any access at all. It appears that the CheckAccessCore method is being called before the Evaluate method, so there are no claims to check.
I've looked at:
http://msdn2.microsoft.com/en-us/library/ms731774.aspx
http://msdn2.microsoft.com/en-us/library/ms731181.aspx
I already had my custom claims populated, and if I remove the ServiceAuthorizationManager class, the Evaluate method executes, but as soon as I add it back in, CheckAccessCore runs and returns false because none of the claims have been added.
I'm sure I'm just missing something in either my code or configuration files (I'll include those with this post), but I have absolutely no idea what it might be. That's the problem with the documentation of WCF (and this comment is directed toward the MSDN docs, not to anyone who has been good enough to take some of their spare time torespond to any of my posts). They go into great detail about specifics without actually explaining how all those details fit together (except in a very general sense).
Colin
app.config:
Code Snippet
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="NotebookUpload" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="Ntlm" realm="" />
<message clientCredentialType="None" negotiateServiceCredential="false" algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="uploadBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://mypc.myaddress.com/NoMaDServices/NotebookUploadService.svc" binding="wsHttpBinding" bindingConfiguration="NotebookUpload" contract="NotebookUpload.INotebookUploadService" name="NotebookUpload" behaviorConfiguration="uploadBehavior">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAUykfkG2nGBX69t7O7FCVY1VN3wogAAAAAQAAAMcBAAAwggHDMIIBcaADAgECAhBQhjcdq4d+rkrUhYJGaFzsMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3kwHhcNMDcwODIyMTg1OTM0WhcNMzkxMjMxMjM1OTU5WjAmMSQwIgYDVQQDExtjYW0tZDA0NTcyMy5jb3JwLmJpb2dlbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN6PTqGrdMqvo8muhsf8S41Ebnm+YvYzhVkkSZuu6w9aMVa+jTcpL8aCeAgUfXpdmNqDPpt7g7H8Pn08CZVwdFmQAsjtW7Q1UEBDVHgfCifZIC+wWvT8h8Ns1/q+ijioflyTSWxB29wRPuSwQLodT9mGPEFDvn+PqnMWEvIQE9ZzAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAArAGfgVYfycWjQ1zaNg//yh4tqr2fqDHSq2tuIT6R3WAduRXo58lqJzqgBUhPVR3iG/ZkhMwDe5cEhg2QTyTEA==" />
</identity>
</endpoint>
</client>
</system.serviceModel>
web.config:
Code Snippet
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_INotebookUploadService">
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="Ntlm" realm="" />
<message clientCredentialType="None" negotiateServiceCredential="false" algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior_INotebookUploadService">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="TransferService.Claims.ClaimsAuthorizationPolicy, Notebook Common" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Windows" />
<serviceCertificate storeLocation="CurrentUser" storeName="TrustedPeople" findValue="mypc.myaddress.com" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="Behavior_INotebookUploadService" name="TransferService.NotebookUploadService">
<endpoint address="http://mypc.myaddress.com/NoMaDServices/NotebookUploadService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_INotebookUploadService"
name="NotebookUpload" contract="TransferService.INotebookUploadService"/>
<endpoint address="mex" binding="mexHttpBinding" name="MetaData" contract="IMetadataExchange"/>
</service>
</services>
</system.serviceModel>
