A
Alhambra Eidos Kiquenet
Hi all, misters
I have an ASP .NET 2.0 application , that uses WCF services.
I want use S4U Kerberos for calling WCF services using delegate account.
The application runs under Windows integrated authentication and anonymous
access is turned off.
My code is similar like this:
//declare for p/invoke
[DllImport(@"advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);
[DllImport(@"Kernel32.dll")]
public static extern int GetLastError();
[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private const int SecurityImpersonation = 2;
public void Switch(string userName, string password, string domain)
{
try
{
IntPtr token = IntPtr.Zero;
impersonationContext = null;
// log on con la cuenta de usuario dada
bool loggedOn = LogonUser(
// Usuario
userName,
// Máquina o nombre del dominio.
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
// The user token for the specified user is returned here.
out token);
if (loggedOn == false)
{
throw new System.Security.SecurityException(userName + " logon failed");
}
IntPtr tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null; //duplicate the security token
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new System.Security.SecurityException("Logon use failed");
}
}
catch (Exception ex)
{
throw ex;
}
} // public void Switch (string userName, string password, string domain)
this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name);
Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);
//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denied
WindowsIdentity identity = new WindowsIdentity("(e-mail address removed)"); // I
get error: Attempted to perform an unauthorized operation
identity.Impersonate();
// CALLIN WCF Service
using (AgenteTareas agenteTareas = new AgenteTareas())
{
TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();
this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );
}
UndoSwitch();
I get an error: Attempted to perform an unauthorized operation
Any help will be appreciated and grateful. Best regards. Thanks in advance.
I have an ASP .NET 2.0 application , that uses WCF services.
I want use S4U Kerberos for calling WCF services using delegate account.
The application runs under Windows integrated authentication and anonymous
access is turned off.
My code is similar like this:
//declare for p/invoke
[DllImport(@"advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);
[DllImport(@"Kernel32.dll")]
public static extern int GetLastError();
[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private const int SecurityImpersonation = 2;
public void Switch(string userName, string password, string domain)
{
try
{
IntPtr token = IntPtr.Zero;
impersonationContext = null;
// log on con la cuenta de usuario dada
bool loggedOn = LogonUser(
// Usuario
userName,
// Máquina o nombre del dominio.
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
// The user token for the specified user is returned here.
out token);
if (loggedOn == false)
{
throw new System.Security.SecurityException(userName + " logon failed");
}
IntPtr tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null; //duplicate the security token
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new System.Security.SecurityException("Logon use failed");
}
}
catch (Exception ex)
{
throw ex;
}
} // public void Switch (string userName, string password, string domain)
this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name);
Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);
//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denied
WindowsIdentity identity = new WindowsIdentity("(e-mail address removed)"); // I
get error: Attempted to perform an unauthorized operation
identity.Impersonate();
// CALLIN WCF Service
using (AgenteTareas agenteTareas = new AgenteTareas())
{
TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();
this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );
}
UndoSwitch();
I get an error: Attempted to perform an unauthorized operation
Any help will be appreciated and grateful. Best regards. Thanks in advance.