Programmatic Impersonation Delegation For Remote Resources (Double-Hop)

笑着哭i 提交于 2019-12-09 23:22:15

问题


I am having a hard time to get Runtime Impersonation to work.

Scenario:

  • Anonymous access is disabled in all servers, and windows auth is enabled
  • Client calls Web Api 1
  • Web Api 1 may call Web Api 2, or the oData Service
  • Call from Web Api 1 to Web Api 2 needs to be impersonated with the Client Credentials
  • Calls from Web Api 1 to oData Service must not be impersonated
  • Web Api 1 calls both the service using Web Request
  • We have Kerberos delegation configured properly

What Works (Kinda):

If I turn on impersonation in Web Api 1 using the Web.config

<authentication mode="Windows"/>
<identity impersonate="true"/>
  • All calls are getting impersonated. Web Api 1 --> Web Api 2, and Web Api 1 --> oData Service

This is not what we want. We want the oData Service to be accessible only via the Application Pool account. Hence we don't want to impersonate all outgoing calls from Web Api 1.

Programmatic Impersonation

We tried to impersonate only calls going from Web Api 1 to Web Api 2 using the following code

Disable Impersonation in Web.config

<authentication mode="Windows"/>
<identity impersonate="false"/>

Impersonate calls from Web Api 1 to Web Api 2.

// Impersonate the currently authenticated User
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate()) {
    var request = (HttpWebRequest)HttpWebRequest.Create(uri);
    ...
    ...
    request.Credentials = CredentialCache.DefaultCredentials;

    response = (HttpWebResponse)request.GetResponse();
};

Results:

  • Calls From Web Api 1 to oData are not impersonated (As expected)
  • Calls from Web Api 1 to Web api 2 are not impersonated either. This is the problem.

Question:

  • Is this how runtime impersonation should be implemented in Web Services?
  • What are we doing wrong?

Any pointers would be helpful.


回答1:


The code mentioned in the question works!! There was some problem with delegation, that needed to be fixed.

Thanks



来源:https://stackoverflow.com/questions/27725896/programmatic-impersonation-delegation-for-remote-resources-double-hop

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!