Azure Web App Web API使用ClaimsIdentity模拟用户

Question

In my Azure Web App I want to impersonate the user by using their ClaimsIdentity to call a 3rd party API. The 3rd party web API allows Basic or Kerberos, optionally I can switch to the 3rd party SDK which uses windows integrated security if neccessary.

The problem I'm running into is the impersonation bit, below is my code as it is.

var webUser = HttpContext.Current.User.Identity as ClaimsIdentity;

var windowsIdentity = S4UClient.UpnLogon(webUser.Claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Upn)).Value);

using (var impersonationContext = windowsIdentity.Impersonate())
{
    //make call to 3rd party Web API or SDK
}

When running the above I get the following error:

The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.

Everything I've read points to starting the C2WTS windows service, is there a way to start this service for an Azure web app? If not how can I go about impersonating the user or passing credentials to my 3rd party api/sdk?

Answer 1

When you use the Azure WebApp, you are isolated from the infrastructure and the hosting enviroment - so you can not start something like "Windows service".

If you need to use Windows / Kerberos authentication for individual user to access your resources behind your web application, you can't use Azure WebApp. You should use Azure VM with IIS which is a member server of your domain. Then you can configure your web application to accept claim based authentication (eg from Azure AD) and make the impersonation to your internal domain account by the UPN and WindwosIdentity constructor (> .NET 4.5).