S4U Kerberos for calling WCF services

Discussion in 'ASP .Net Security' started by Alhambra Eidos Kiquenet, Feb 6, 2008.

  1. Hi all, misters

    I have an ASP .NET 2.0 application , that uses WCF services.

    I want use S4U Kerberos for calling WCF services using delegate account.

    The application runs under Windows integrated authentication and anonymous
    access is turned off.

    My code is similar like this:

    //declare for p/invoke
    [DllImport(@"advapi32.dll")]
    public static extern bool LogonUser(String lpszUsername, String lpszDomain,
    String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
    phToken);

    [DllImport(@"Kernel32.dll")]
    public static extern int GetLastError();

    [DllImport(@"advapi32.dll", CharSet =
    System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
    public extern static bool DuplicateToken(IntPtr hToken,int
    impersonationLevel,ref IntPtr hNewToken);

    private const int LOGON32_LOGON_INTERACTIVE = 2;
    private const int LOGON32_PROVIDER_DEFAULT = 0;
    private const int SecurityImpersonation = 2;

    public void Switch(string userName, string password, string domain)
    {

    try
    {

    IntPtr token = IntPtr.Zero;
    impersonationContext = null;

    // log on con la cuenta de usuario dada
    bool loggedOn = LogonUser(
    // Usuario
    userName,
    // Máquina o nombre del dominio.
    domain,
    password,
    LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT,
    // The user token for the specified user is returned here.
    out token);

    if (loggedOn == false)
    {
    throw new System.Security.SecurityException(userName + " logon failed");
    }

    IntPtr tokenDuplicate = IntPtr.Zero;
    WindowsIdentity tempWindowsIdentity = null; //duplicate the security token
    if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false)
    {
    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    // Camia el actual "runAs" del hilo al nuevo Windows Identity
    impersonationContext = tempWindowsIdentity.Impersonate();
    }
    else
    {
    throw new System.Security.SecurityException("Logon use failed");
    }
    }
    catch (Exception ex)
    {
    throw ex;
    }
    } // public void Switch (string userName, string password, string domain)


    this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name);


    Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);

    //this.Response.Write(" WindowsIdentity: " +
    WindowsIdentity.GetCurrent().Name); // Error: Access denied

    WindowsIdentity identity = new WindowsIdentity(""); // I
    get error: Attempted to perform an unauthorized operation

    identity.Impersonate();

    // CALLIN WCF Service
    using (AgenteTareas agenteTareas = new AgenteTareas())

    {

    TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();

    this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
    tarea.ToString() }) );

    }

    UndoSwitch();

    I get an error: Attempted to perform an unauthorized operation

    Any help will be appreciated and grateful. Best regards. Thanks in advance.




    --
    http://www.alhambra-eidos.es/web2005/index.html
    www.kiquenet.net
    http://www.setbb.com/putainformatica/viewtopic.php?p=843
    www.trabajobasura.com/solusoft
    Alhambra Eidos Kiquenet, Feb 6, 2008
    #1
    1. Advertising

  2. S4U has very specific pre-requisites:

    - machine must be Windows 2003 +
    - machine must run in a native win2003 domain
    - you can only delegate via constrained delegaiton
    - worker process account needs the SeImpersonatePrivilege

    is this all the case?

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi all, misters
    >
    > I have an ASP .NET 2.0 application , that uses WCF services.
    >
    > I want use S4U Kerberos for calling WCF services using delegate
    > account.
    >
    > The application runs under Windows integrated authentication and
    > anonymous access is turned off.
    >
    > My code is similar like this:
    >
    > //declare for p/invoke
    > [DllImport(@"advapi32.dll")]
    > public static extern bool LogonUser(String lpszUsername, String
    > lpszDomain,
    > String lpszPassword,int dwLogonType, int dwLogonProvider, out
    > System.IntPtr
    > phToken);
    > [DllImport(@"Kernel32.dll")]
    > public static extern int GetLastError();
    > [DllImport(@"advapi32.dll", CharSet =
    > System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
    > public extern static bool DuplicateToken(IntPtr hToken,int
    > impersonationLevel,ref IntPtr hNewToken);
    >
    > private const int LOGON32_LOGON_INTERACTIVE = 2;
    > private const int LOGON32_PROVIDER_DEFAULT = 0;
    > private const int SecurityImpersonation = 2;
    > public void Switch(string userName, string password, string domain) {
    >
    > try
    > {
    > IntPtr token = IntPtr.Zero;
    > impersonationContext = null;
    > // log on con la cuenta de usuario dada
    > bool loggedOn = LogonUser(
    > // Usuario
    > userName,
    > // Máquina o nombre del dominio.
    > domain,
    > password,
    > LOGON32_LOGON_INTERACTIVE,
    > LOGON32_PROVIDER_DEFAULT,
    > // The user token for the specified user is returned here.
    > out token);
    > if (loggedOn == false)
    > {
    > throw new System.Security.SecurityException(userName + " logon
    > failed");
    > }
    > IntPtr tokenDuplicate = IntPtr.Zero;
    > WindowsIdentity tempWindowsIdentity = null; //duplicate the security
    > token
    > if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate)
    > != false)
    > {
    > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    > // Camia el actual "runAs" del hilo al nuevo Windows Identity
    > impersonationContext = tempWindowsIdentity.Impersonate();
    > }
    > else
    > {
    > throw new System.Security.SecurityException("Logon use failed");
    > }
    > }
    > catch (Exception ex)
    > {
    > throw ex;
    > }
    > } // public void Switch (string userName, string password, string
    > domain)
    > this.Response.Write(" WindowsIdentity: " +
    > WindowsIdentity.GetCurrent().Name);
    >
    > Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);
    >
    > //this.Response.Write(" WindowsIdentity: " +
    > WindowsIdentity.GetCurrent().Name); // Error: Access denied
    >
    > WindowsIdentity identity = new WindowsIdentity("");
    > // I get error: Attempted to perform an unauthorized operation
    >
    > identity.Impersonate();
    >
    > // CALLIN WCF Service
    > using (AgenteTareas agenteTareas = new AgenteTareas())
    > {
    >
    > TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();
    >
    > this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
    > tarea.ToString() }) );
    >
    > }
    >
    > UndoSwitch();
    >
    > I get an error: Attempted to perform an unauthorized operation
    >
    > Any help will be appreciated and grateful. Best regards. Thanks in
    > advance.
    >
    Dominick Baier, Feb 6, 2008
    #2
    1. Advertising

  3. Hi mister,

    all pre-requisites is ok.

    Greetings

    "Dominick Baier" wrote:

    > S4U has very specific pre-requisites:
    >
    > - machine must be Windows 2003 +
    > - machine must run in a native win2003 domain
    > - you can only delegate via constrained delegaiton
    > - worker process account needs the SeImpersonatePrivilege
    >
    > is this all the case?
    >
    Alhambra Eidos Kiquenet, Feb 6, 2008
    #3
  4. Alhambra Eidos Kiquenet

    Joe Kaplan Guest

    Also, the "strength" of the token generated by S4U depends on whether the
    calling process has SeTcbName privilege (act as part of the operating
    system). If yes, then the token is an impersonation token. If no, the
    token is an identify level token.

    The identity level token can still be impersonated in code, but it cannot be
    used to access any secure objects on the local system like a file or
    something.

    Technically, it is possible to be able to delegate an identify level token
    but in practice it is very hard to make this work. For example, if you
    impersonate such a token and use DefaultCredentials with an HttpWebRequest
    object, it will usually fail before the remote call is made because .NET
    will try to read a configuration file on the local machine and that
    operation will fail. I would not be surprised if similar problems occurred
    with WCF.

    So, in practice it is very hard to get practical code examples to work if
    the ability to impersonate locally is not enabled. As such, the calling
    process may need SeTcbName privilege. If you want to do it the right way,
    refer to Keith Brown's fairly recent MSDN mag article discussing this
    problem where he demonstrates the proper technique for putting the S4U login
    in an external process with elevated rights and copying the generated token
    back into the original process.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Alhambra Eidos Kiquenet" <>
    wrote in message news:...
    > Hi mister,
    >
    > all pre-requisites is ok.
    >
    > Greetings
    >
    > "Dominick Baier" wrote:
    >
    >> S4U has very specific pre-requisites:
    >>
    >> - machine must be Windows 2003 +
    >> - machine must run in a native win2003 domain
    >> - you can only delegate via constrained delegaiton
    >> - worker process account needs the SeImpersonatePrivilege
    >>
    >> is this all the case?
    >>

    >
    Joe Kaplan, Feb 6, 2008
    #4
  5. Identity tokens and SeTcbName

    I have noticed that even if the account has SeTcbName privilege, it may still get an "identify" token if UAC is enabled and the client doesn't run as administrator.

    Allways check/assert the value of the ImpersonationLevel property of the WindowsIdentity object.



    Dominick Baier wrote:

    Re: S4U Kerberos for calling WCF services
    06-Feb-08

    S4U has very specific pre-requisites

    - machine must be Windows 2003
    - machine must run in a native win2003 domai
    - you can only delegate via constrained delegaito
    - worker process account needs the SeImpersonatePrivileg

    is this all the case

    ----
    Dominick Baier (http://www.leastprivilege.com

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    Previous Posts In This Thread:

    On Wednesday, February 06, 2008 5:21 AM
    AlhambraEidosKiquene wrote:

    S4U Kerberos for calling WCF services
    Hi all, mister

    I have an ASP .NET 2.0 application , that uses WCF services.

    I want use S4U Kerberos for calling WCF services using delegate account

    The application runs under Windows integrated authentication and anonymous
    access is turned off

    My code is similar like this

    //declare for p/invok
    [DllImport(@"advapi32.dll")
    public static extern bool LogonUser(String lpszUsername, String lpszDomain,
    String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
    phToken);

    [DllImport(@"Kernel32.dll")
    public static extern int GetLastError()

    [DllImport(@"advapi32.dll", CharSet =
    System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)
    public extern static bool DuplicateToken(IntPtr hToken,int
    impersonationLevel,ref IntPtr hNewToken);

    private const int LOGON32_LOGON_INTERACTIVE = 2
    private const int LOGON32_PROVIDER_DEFAULT = 0
    private const int SecurityImpersonation = 2

    public void Switch(string userName, string password, string domain


    tr


    IntPtr token = IntPtr.Zero
    impersonationContext = null

    // log on con la cuenta de usuario dad
    bool loggedOn = LogonUser
    // Usuari
    userName
    // M??quina o nombre del dominio
    domain
    password
    LOGON32_LOGON_INTERACTIVE
    LOGON32_PROVIDER_DEFAULT
    // The user token for the specified user is returned here
    out token);

    if (loggedOn == false

    throw new System.Security.SecurityException(userName + " logon failed")


    IntPtr tokenDuplicate = IntPtr.Zero
    WindowsIdentity tempWindowsIdentity = null; //duplicate the security toke
    if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false

    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate)
    // Camia el actual "runAs" del hilo al nuevo Windows Identity
    impersonationContext = tempWindowsIdentity.Impersonate()

    els

    throw new System.Security.SecurityException("Logon use failed")


    catch (Exception ex

    throw ex

    } // public void Switch (string userName, string password, string domain)

    this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name)

    Switch(S4U_USER, S4U_PASS, S4U_DOMAIN)

    //this.Response.Write(" WindowsIdentity: " +
    WindowsIdentity.GetCurrent().Name); // Error: Access denie

    WindowsIdentity identity = new WindowsIdentity(""); // I
    get error: Attempted to perform an unauthorized operation

    identity.Impersonate()

    // CALLIN WCF Servic
    using (AgenteTareas agenteTareas = new AgenteTareas())



    TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada()

    this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
    tarea.ToString() }) );



    UndoSwitch()

    I get an error: Attempted to perform an unauthorized operatio

    Any help will be appreciated and grateful. Best regards. Thanks in advance


    --
    http://www.alhambra-eidos.es/web2005/index.htm
    www.kiquenet.ne
    http://www.setbb.com/putainformatica/viewtopic.php?p=84
    www.trabajobasura.com/solusoft

    On Wednesday, February 06, 2008 6:11 AM
    Dominick Baier wrote:

    Re: S4U Kerberos for calling WCF services
    S4U has very specific pre-requisites

    - machine must be Windows 2003
    - machine must run in a native win2003 domai
    - you can only delegate via constrained delegaito
    - worker process account needs the SeImpersonatePrivilege

    is this all the case?

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    On Wednesday, February 06, 2008 6:52 AM
    AlhambraEidosKiquene wrote:

    Re: S4U Kerberos for calling WCF services
    Hi mister,

    all pre-requisites is ok.

    Greetings

    "Dominick Baier" wrote:

    On Wednesday, February 06, 2008 9:33 AM
    Joe Kaplan wrote:

    Also, the "strength" of the token generated by S4U depends on whether the
    Also, the "strength" of the token generated by S4U depends on whether the
    calling process has SeTcbName privilege (act as part of the operating
    system). If yes, then the token is an impersonation token. If no, the
    token is an identify level token.

    The identity level token can still be impersonated in code, but it cannot be
    used to access any secure objects on the local system like a file or
    something.

    Technically, it is possible to be able to delegate an identify level token
    but in practice it is very hard to make this work. For example, if you
    impersonate such a token and use DefaultCredentials with an HttpWebRequest
    object, it will usually fail before the remote call is made because .NET
    will try to read a configuration file on the local machine and that
    operation will fail. I would not be surprised if similar problems occurred
    with WCF.

    So, in practice it is very hard to get practical code examples to work if
    the ability to impersonate locally is not enabled. As such, the calling
    process may need SeTcbName privilege. If you want to do it the right way,
    refer to Keith Brown's fairly recent MSDN mag article discussing this
    problem where he demonstrates the proper technique for putting the S4U login
    in an external process with elevated rights and copying the generated token
    back into the original process.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Alhambra Eidos Kiquenet" <>
    wrote in message news:...


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    Task Parallelism in C# 4.0 with System.Threading.Tasks
    http://www.eggheadcafe.com/tutorial...lelism-in-c-40-with-systemthreadingtasks.aspx
    Michel Baladi, Jun 30, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon
    Replies:
    0
    Views:
    992
    Simon
    Oct 13, 2009
  2. Cindy Lee
    Replies:
    1
    Views:
    2,066
    Mr. Arnold
    Mar 19, 2010
  3. Borislav Marinov
    Replies:
    9
    Views:
    435
    Dominick Baier [DevelopMentor]
    Oct 14, 2005
  4. Nicholas Hadlee

    Expired Tickets - Delegation vs S4U

    Nicholas Hadlee, Nov 27, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    202
    Joe Kaplan
    Nov 27, 2006
  5. Rob Vettor

    WCF and Kerberos

    Rob Vettor, Nov 13, 2007, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    155
    Chris Mullins [MVP - C#]
    Nov 13, 2007
Loading...

Share This Page