Pass through Windows Identity to Web Service

Discussion in 'ASP .Net Web Services' started by Noremac, Nov 15, 2007.

  1. Noremac

    Noremac Guest

    I have a web site. It's business layer is accessed through another web
    service. Both are hosted on IIS.

    When this application is deployed on the intranet, we have people access it
    through their AD accounts. Ideally, we want to pass the Windows Identity that
    is accessing the website through to the business web service layer. The web
    service layer then grabs the roles from AzMan and returns a custom identity
    class (that implements IIdentity).

    The problem I am having is that both the web site and web service have to
    have <identity impersonate="true" /> in order for the web service to get the
    client's identity. We don't want the web site to use the client identity. We
    want the web site to run under ASPNET / Network Service (i.e. the identity
    assigned for the App Pool).
    Noremac, Nov 15, 2007
    #1
    1. Advertising

  2. Hi Noremac,

    For your scenario, you need to pass the windows identity from the ASP.NET
    application to the webservice application without enable impersonate in
    ASP.NET web application ,correct?

    I assume that your web application and webservice are on the same server
    machine(other wise, we can not forward client authenticated user token
    across multiple machine boundary--- double hop).

    Then, if you do not to imperonate your ASP.NET application through
    <web.config>, you can consider the following means:

    **use programmatic impersonate. Thus, you can put impersonate code only at
    the function where you'll call the webservice. Since you've used "windows"
    authentication in ASP.NET web app, you can use the authenticated user
    identity(through Context.User.Identity) to perform the impersonate. Here
    are two articles that may help you:

    #How To: Use Windows Authentication in ASP.NET 2.0
    http://msdn2.microsoft.com/en-us/library/ms998358.aspx

    #How To: Use Impersonation and Delegation in ASP.NET 2.0
    http://msdn2.microsoft.com/en-us/library/ms998351.aspx

    How do you think?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.








    --------------------
    >From: =?Utf-8?B?Tm9yZW1hYw==?= <>
    >Subject: Pass through Windows Identity to Web Service
    >Date: Thu, 15 Nov 2007 11:25:04 -0800


    >
    >I have a web site. It's business layer is accessed through another web
    >service. Both are hosted on IIS.
    >
    >When this application is deployed on the intranet, we have people access

    it
    >through their AD accounts. Ideally, we want to pass the Windows Identity

    that
    >is accessing the website through to the business web service layer. The

    web
    >service layer then grabs the roles from AzMan and returns a custom

    identity
    >class (that implements IIdentity).
    >
    >The problem I am having is that both the web site and web service have to
    >have <identity impersonate="true" /> in order for the web service to get

    the
    >client's identity. We don't want the web site to use the client identity.

    We
    >want the web site to run under ASPNET / Network Service (i.e. the identity
    >assigned for the App Pool).
    >
    >
    >
    Steven Cheng[MSFT], Nov 16, 2007
    #2
    1. Advertising

  3. Hi Noremac,

    Have you got any further idea on this issue? If you need any other help,
    please feel free to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.




    --------------------
    >From: (Steven Cheng[MSFT])
    >Organization: Microsoft
    >Date: Fri, 16 Nov 2007 04:29:09 GMT
    >Subject: RE: Pass through Windows Identity to Web Service


    >
    >Hi Noremac,
    >
    >For your scenario, you need to pass the windows identity from the ASP.NET
    >application to the webservice application without enable impersonate in
    >ASP.NET web application ,correct?
    >
    >I assume that your web application and webservice are on the same server
    >machine(other wise, we can not forward client authenticated user token
    >across multiple machine boundary--- double hop).
    >
    >Then, if you do not to imperonate your ASP.NET application through
    ><web.config>, you can consider the following means:
    >
    >**use programmatic impersonate. Thus, you can put impersonate code only at
    >the function where you'll call the webservice. Since you've used "windows"
    >authentication in ASP.NET web app, you can use the authenticated user
    >identity(through Context.User.Identity) to perform the impersonate. Here
    >are two articles that may help you:
    >
    >#How To: Use Windows Authentication in ASP.NET 2.0
    >http://msdn2.microsoft.com/en-us/library/ms998358.aspx
    >
    >#How To: Use Impersonation and Delegation in ASP.NET 2.0
    >http://msdn2.microsoft.com/en-us/library/ms998351.aspx
    >
    >How do you think?
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead
    >
    >
    >
    >==================================================
    >
    >Get notification to my posts through email? Please refer to
    >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#noti

    f
    >ications.
    >
    >
    >
    >Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    >where an initial response from the community or a Microsoft Support
    >Engineer within 1 business day is acceptable. Please note that each follow
    >up response may take approximately 2 business days as the support
    >professional working with you may need further investigation to reach the
    >most efficient resolution. The offering is not appropriate for situations
    >that require urgent, real-time or phone-based interactions or complex
    >project analysis and dump analysis issues. Issues of this nature are best
    >handled working with a dedicated Microsoft Support Engineer by contacting
    >Microsoft Customer Support Services (CSS) at
    >http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    >==================================================
    >
    >
    >This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    >
    >
    >
    >
    >
    >--------------------
    >>From: =?Utf-8?B?Tm9yZW1hYw==?= <>
    >>Subject: Pass through Windows Identity to Web Service
    >>Date: Thu, 15 Nov 2007 11:25:04 -0800

    >
    >>
    >>I have a web site. It's business layer is accessed through another web
    >>service. Both are hosted on IIS.
    >>
    >>When this application is deployed on the intranet, we have people access

    >it
    >>through their AD accounts. Ideally, we want to pass the Windows Identity

    >that
    >>is accessing the website through to the business web service layer. The

    >web
    >>service layer then grabs the roles from AzMan and returns a custom

    >identity
    >>class (that implements IIdentity).
    >>
    >>The problem I am having is that both the web site and web service have to
    >>have <identity impersonate="true" /> in order for the web service to get

    >the
    >>client's identity. We don't want the web site to use the client identity.

    >We
    >>want the web site to run under ASPNET / Network Service (i.e. the

    identity
    >>assigned for the App Pool).
    >>
    >>
    >>

    >
    >
    Steven Cheng[MSFT], Nov 21, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Giovanni Bassi
    Replies:
    0
    Views:
    646
    Giovanni Bassi
    Oct 20, 2003
  2. nalbayo
    Replies:
    2
    Views:
    5,498
    Bruce Barker
    Nov 11, 2005
  3. prowyh
    Replies:
    0
    Views:
    315
    prowyh
    Nov 16, 2007
  4. JimLad
    Replies:
    0
    Views:
    447
    JimLad
    Jan 16, 2009
  5. TS

    Recommended way to pass identity to web service

    TS, Apr 6, 2007, in forum: ASP .Net Web Services
    Replies:
    7
    Views:
    139
    Steven Cheng[MSFT]
    Apr 17, 2007
Loading...

Share This Page