You're welcome Marshall,
Have a good weekend!
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Marshall" <
[email protected]>
| References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
| Subject: Re: Web Service Identity
| Date: Thu, 15 Sep 2005 09:06:22 -0400
| Lines: 270
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7800
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Thank you very much Steve!
|
| I really appreciate all of your help. I got it working. One thing I
messed
| up on within the web.config of webservice B is I had authentication set
to
| 'none'. When I added your code to set the credentials and changed the
| authentication to ' windows', everthing worked just the way I wanted it
to.
|
| Thanks again,
|
| Marshall
|
| | > Hi Marshall,
| >
| > Thanks for your response. So you means the webserviceA has passed its
| > client's credential to the webserviceB? Seems a bit strange, have you
| > turned on impersonate in web.config of webservice A? Based on my
| > experience, when calling webservice through clientside proxy, we need to
| > use the proxy.Credentials to pass our user credential. And in
webserviceA,
| > we can use the System.Net.CredentialsCache.DefaultCredentials like:
| >
| > DocService.DocService ds = new DemoWebApp.DocService.DocService();
| > ds.Credentials = System.Net.CredentialCache.DefaultCredentials;
| >
| > and this will use the asp.net process identity by default (if
impersonate
| > is not being used).
| >
| > So please have a check in the webservice A to see whether it has used
| > impersonate. Also, in webserviceB, you can use some code to printout the
| > currently client side credential and thread principle as below:
| >
| > string str = null;
| >
| > str = string.Format("<br/>context user: {0}, <br/>thread user: {1}",
| > HttpContext.Current.User.Identity.Name,
| > System.Threading.Thread.CurrentPrincipal.Identity.Name);
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure!
www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| > --------------------
| > | From: "Marshall" <
[email protected]>
| > | References: <
[email protected]>
| > <
[email protected]>
| > | Subject: Re: Web Service Identity
| > | Date: Wed, 14 Sep 2005 08:40:32 -0400
| > | Lines: 168
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <
[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.webservices:7794
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > |
| > | Thanks for your help, Steve.
| > |
| > | Your description of the problem is not totally true.
| > |
| > | Here is your updated description:
| > | From your description, you're using integrated windows authentication
in
| > IIS
| > | for webservice A so as to get the clientside user's windows
crediential
| > in
| > | asp.net webservice. And you'll do some Role checking in webmethods.
| > Also,
| > | since the webservice A need to call another remote webservice B which
| > | require a certain domain account/role, so you configured the
application
| > | pool identity for webservice A under a certain domain account. --
| > Correct.
| > |
| > | However, I found that when I pass credientials to webservice A, it
| > assumes
| > | the identity of the credentials I passed in. So when webservice A
make
| > a
| > | call to webservice B, webservice B receives the credentials I passed
| > into
| > | webservice A.
| > |
| > | What I want to happen is:
| > | I pass credentials into webservice A and the credentials are verified.
| > When
| > | webservice A makes the call to webservice B, webservice B should
| > | automatically recieve, as its credentials, the identity of webservice
| > A's
| > | application pool.
| > |
| > | The client passes its credentials to webservice A via:
| > | roleMapWS.Credentials = new NetworkCredential(userName, password,
| > domain);
| > |
| > |
| > | Thank you for the links. I will lookin to them.
| > |
| > | Thanks again,
| > |
| > | Marshall
| > |
| > | | > | > Hi Marshall,
| > | >
| > | > Welcome to ASPNET newsgroup.
| > | > From your description, you're using integrated windows
authentication
| > in
| > | > IIS for webservice A so as to get the clientside user's windows
| > | > crediential
| > | > in asp.net webservice. And you'll do some Role checking in
webmethods.
| > | > Also, since the webservice A need to call another remote webservice
B
| > | > which
| > | > require a certain domain account/role, so you configured the
| > application
| > | > pool identity for webservice A under a certain domain account.
| > However,
| > | > you
| > | > found the PrinciplePermission attribute in webservice A's method
| > dosn't
| > | > validate the clientside user , but the application pool's identity
,
| > yes?
| > | >
| > | > As for this problem, it is because the .NET's Secuirty
| > PrinciplePermission
| > | > check is based on the currently running process/thread's security
| > context.
| > | > So for asp.net , if we're not using impersonate, the
| > PrinciplePermission's
| > | > assert will be made on the default process account(application
pool's
| > | > identity) rather than the clientside user's identity. The clientside
| > | > user's
| > | > identity is held in the HttpContext.Current.User.Identity proerpty.
| > | >
| > | > So for your scenario, I think we have the following two options:
| > | >
| > | > 1. Still use the PrinciplePermission to do the role checking,
however,
| > we
| > | > need to programmatically call impersonate to impersonate the
| > clientuser
| > | > before entering the method where we do the checking and revert back
to
| > | > process identitty after the method call.
| > | >
| > | > #How to implement impersonation in an ASP.NET application
| > | >
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
| > | >
| > | > 2. Still not use impersonate, however , we need to manually call
| > | >
| > | > HttpContext.Current.User.IsInRole(...)
| > | >
| > | > to check the clientuser's roles instead of using
PrinciplePermission.
| > | >
| > | > If you have anything unclear, please feel free to post here. Thanks,
| > | >
| > | > Steven Cheng
| > | > Microsoft Online Support
| > | >
| > | > Get Secure!
www.microsoft.com/security
| > | > (This posting is provided "AS IS", with no warranties, and confers
no
| > | > rights.)
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | From: "Marshall" <
[email protected]>
| > | > | Subject: Web Service Identity
| > | > | Date: Tue, 13 Sep 2005 16:02:49 -0400
| > | > | Lines: 50
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Message-ID: <
[email protected]>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.webservices:7786
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > | > |
| > | > | Hi All,
| > | > |
| > | > | I have a web service [1] that runs under its own IIS Application
| > Pool
| > | > with
| > | > | the identity of a specific domain account. The web service [1] is
| > setup
| > | > for
| > | > | windows authentication only.
| > | > |
| > | > | Within my web method I require the caller to be a member of a
| > specific
| > | > | domain group using the PriciplePermission attribute. It appears
| > that
| > my
| > | > web
| > | > | service [1] is assuming the identity of the caller. The behavior
| > that I
| > | > | want is for the web method to verify the identity of the caller
| > while
| > | > | keeping the identity of the application pool
| > | > |
| > | > | From within my web method I make a call to another web service [2]
| > which
| > | > | employs the same security methods except requiring the caller to
be
| > a
| > | > member
| > | > | of a different domain group. The application pool for my web
| > service
| > | > [1]
| > | > is
| > | > | a member of the group required by web service [2].
| > | > |
| > | > | What do I need to do to get this to work the way I want?
| > | > |
| > | > | Thank you for all of your help,
| > | > |
| > | > | Marshall
| > | > |
| > | > | Here is the code for my web method for web service [1].
| > | > | [WebMethod]
| > | > | [PrincipalPermission(SecurityAction.Demand,
| > | > | Role=@"OPEN\RoleMapWS_Readers")]
| > | > | public Open.Foundation.RoleMap.User AuthenticateUser(int
domainId,
| > | > string
| > | > | userName, string password)
| > | > | {
| > | > | Open.Foundation.RoleMap.User user = null;
| > | > |
| > | > | try
| > | > | {
| > | > | Call another web service here
| > | > | }
| > | > | catch (Exception ex)
| > | > | {
| > | > | throw;
| > | > | }
| > | > | finally
| > | > | {
| > | > | user = null;
| > | > | }
| > | > | }
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|