S4U Kerberos for calling WCF services

[Alhambra Eidos Kiquenet]

Hi all, misters

I have an ASP .NET 2.0 application , that uses WCF services.

I want use S4U Kerberos for calling WCF services using delegate account.

The application runs under Windows integrated authentication and anonymous
access is turned off.

My code is similar like this:

//declare for p/invoke
[DllImport(@"advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);

[DllImport(@"Kernel32.dll")]
public static extern int GetLastError();

[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);

private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private const int SecurityImpersonation = 2;

public void Switch(string userName, string password, string domain)
{

try
{

IntPtr token = IntPtr.Zero;
impersonationContext = null;

// log on con la cuenta de usuario dada
bool loggedOn = LogonUser(
// Usuario
userName,
// Máquina o nombre del dominio.
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
// The user token for the specified user is returned here.
out token);

if (loggedOn == false)
{
throw new System.Security.SecurityException(userName + " logon failed");
}

IntPtr tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null; //duplicate the security token
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new System.Security.SecurityException("Logon use failed");
}
}
catch (Exception ex)
{
throw ex;
}
} // public void Switch (string userName, string password, string domain)


this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name);


Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);

//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denied

WindowsIdentity identity = new WindowsIdentity("(e-mail address removed)"); // I
get error: Attempted to perform an unauthorized operation

identity.Impersonate();

// CALLIN WCF Service
using (AgenteTareas agenteTareas = new AgenteTareas())

{

TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();

this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );

}

UndoSwitch();

I get an error: Attempted to perform an unauthorized operation

Any help will be appreciated and grateful. Best regards. Thanks in advance.

 

[Dominick Baier]

S4U has very specific pre-requisites:

- machine must be Windows 2003 +
- machine must run in a native win2003 domain
- you can only delegate via constrained delegaiton
- worker process account needs the SeImpersonatePrivilege

is this all the case?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi all, misters

I have an ASP .NET 2.0 application , that uses WCF services.

I want use S4U Kerberos for calling WCF services using delegate
account.

The application runs under Windows integrated authentication and
anonymous access is turned off.

My code is similar like this:

//declare for p/invoke
[DllImport(@"advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String
lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out
System.IntPtr
phToken);
[DllImport(@"Kernel32.dll")]
public static extern int GetLastError();
[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);

private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private const int SecurityImpersonation = 2;
public void Switch(string userName, string password, string domain) {

try
{
IntPtr token = IntPtr.Zero;
impersonationContext = null;
// log on con la cuenta de usuario dada
bool loggedOn = LogonUser(
// Usuario
userName,
// Máquina o nombre del dominio.
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
// The user token for the specified user is returned here.
out token);
if (loggedOn == false)
{
throw new System.Security.SecurityException(userName + " logon
failed");
}
IntPtr tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null; //duplicate the security
token
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate)
!= false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new System.Security.SecurityException("Logon use failed");
}
}
catch (Exception ex)
{
throw ex;
}
} // public void Switch (string userName, string password, string
domain)
this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name);

Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);

//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denied

WindowsIdentity identity = new WindowsIdentity("(e-mail address removed)");
// I get error: Attempted to perform an unauthorized operation

identity.Impersonate();

// CALLIN WCF Service
using (AgenteTareas agenteTareas = new AgenteTareas())
{

TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();

this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );

}

UndoSwitch();

I get an error: Attempted to perform an unauthorized operation

Any help will be appreciated and grateful. Best regards. Thanks in
advance.

 

[Alhambra Eidos Kiquenet]

Hi mister,

all pre-requisites is ok.

Greetings

 

[Joe Kaplan]

Also, the "strength" of the token generated by S4U depends on whether the
calling process has SeTcbName privilege (act as part of the operating
system). If yes, then the token is an impersonation token. If no, the
token is an identify level token.

The identity level token can still be impersonated in code, but it cannot be
used to access any secure objects on the local system like a file or
something.

Technically, it is possible to be able to delegate an identify level token
but in practice it is very hard to make this work. For example, if you
impersonate such a token and use DefaultCredentials with an HttpWebRequest
object, it will usually fail before the remote call is made because .NET
will try to read a configuration file on the local machine and that
operation will fail. I would not be surprised if similar problems occurred
with WCF.

So, in practice it is very hard to get practical code examples to work if
the ability to impersonate locally is not enabled. As such, the calling
process may need SeTcbName privilege. If you want to do it the right way,
refer to Keith Brown's fairly recent MSDN mag article discussing this
problem where he demonstrates the proper technique for putting the S4U login
in an external process with elevated rights and copying the generated token
back into the original process.

Joe K.

 

[Michel Baladi]

I have noticed that even if the account has SeTcbName privilege, it may still get an "identify" token if UAC is enabled and the client doesn't run as administrator.

Allways check/assert the value of the ImpersonationLevel property of the WindowsIdentity object.



Dominick Baier wrote:

Re: S4U Kerberos for calling WCF services
06-Feb-08

S4U has very specific pre-requisites

- machine must be Windows 2003
- machine must run in a native win2003 domai
- you can only delegate via constrained delegaito
- worker process account needs the SeImpersonatePrivileg

is this all the case

----
Dominick Baier (http://www.leastprivilege.com

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Previous Posts In This Thread:

S4U Kerberos for calling WCF services
Hi all, mister

I have an ASP .NET 2.0 application , that uses WCF services.

I want use S4U Kerberos for calling WCF services using delegate account

The application runs under Windows integrated authentication and anonymous
access is turned off

My code is similar like this

//declare for p/invok
[DllImport(@"advapi32.dll")
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);

[DllImport(@"Kernel32.dll")
public static extern int GetLastError()

[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);

private const int LOGON32_LOGON_INTERACTIVE = 2
private const int LOGON32_PROVIDER_DEFAULT = 0
private const int SecurityImpersonation = 2

public void Switch(string userName, string password, string domain


tr


IntPtr token = IntPtr.Zero
impersonationContext = null

// log on con la cuenta de usuario dad
bool loggedOn = LogonUser
// Usuari
userName
// M??quina o nombre del dominio
domain
password
LOGON32_LOGON_INTERACTIVE
LOGON32_PROVIDER_DEFAULT
// The user token for the specified user is returned here
out token);

if (loggedOn == false

throw new System.Security.SecurityException(userName + " logon failed")


IntPtr tokenDuplicate = IntPtr.Zero
WindowsIdentity tempWindowsIdentity = null; //duplicate the security toke
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false

tempWindowsIdentity = new WindowsIdentity(tokenDuplicate)
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate()

els

throw new System.Security.SecurityException("Logon use failed")


catch (Exception ex

throw ex

} // public void Switch (string userName, string password, string domain)

this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name)

Switch(S4U_USER, S4U_PASS, S4U_DOMAIN)

//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denie

WindowsIdentity identity = new WindowsIdentity("(e-mail address removed)"); // I
get error: Attempted to perform an unauthorized operation

identity.Impersonate()

// CALLIN WCF Servic
using (AgenteTareas agenteTareas = new AgenteTareas())



TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada()

this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );



UndoSwitch()

I get an error: Attempted to perform an unauthorized operatio

Any help will be appreciated and grateful. Best regards. Thanks in advance


--
http://www.alhambra-eidos.es/web2005/index.htm
www.kiquenet.ne
http://www.setbb.com/putainformatica/viewtopic.php?p=84
www.trabajobasura.com/solusoft

Re: S4U Kerberos for calling WCF services
S4U has very specific pre-requisites

- machine must be Windows 2003
- machine must run in a native win2003 domai
- you can only delegate via constrained delegaito
- worker process account needs the SeImpersonatePrivilege

is this all the case?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Re: S4U Kerberos for calling WCF services
Hi mister,

all pre-requisites is ok.

Greetings

:

Also, the "strength" of the token generated by S4U depends on whether the
Also, the "strength" of the token generated by S4U depends on whether the
calling process has SeTcbName privilege (act as part of the operating
system). If yes, then the token is an impersonation token. If no, the
token is an identify level token.

The identity level token can still be impersonated in code, but it cannot be
used to access any secure objects on the local system like a file or
something.

Technically, it is possible to be able to delegate an identify level token
but in practice it is very hard to make this work. For example, if you
impersonate such a token and use DefaultCredentials with an HttpWebRequest
object, it will usually fail before the remote call is made because .NET
will try to read a configuration file on the local machine and that
operation will fail. I would not be surprised if similar problems occurred
with WCF.

So, in practice it is very hard to get practical code examples to work if
the ability to impersonate locally is not enabled. As such, the calling
process may need SeTcbName privilege. If you want to do it the right way,
refer to Keith Brown's fairly recent MSDN mag article discussing this
problem where he demonstrates the proper technique for putting the S4U login
in an external process with elevated rights and copying the generated token
back into the original process.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Alhambra Eidos Kiquenet" <[email protected]>
wrote in message

Submitted via EggHeadCafe - Software Developer Portal of Choice
Task Parallelism in C# 4.0 with System.Threading.Tasks
http://www.eggheadcafe.com/tutorial...lelism-in-c-40-with-systemthreadingtasks.aspx