C# How to windows impersonate over distributed system?

Question

I have distributed system, in which I access some internal network resource through Windows Authentication:

1. User #345 request -> MyWebInterface -> SerializableQueue -> Worker #123
2. Worker #123 access resource through WinAuth (currently under service account, not from user account).
3. User #345 response <- MyWebInterface <- SerializableQueue <- Worker #123

The problem is in step 2 - I need to impersonate under User #345 and then access resource. This is security requirement to use this resource.

How one should serialize user credentials and then deserialize them at worker to accomplish WinAuth impersonation?

Answer 1

Impersonation is not a native feature of any queueing system I'm aware of - MSMQ in particular does not offer this functionality.

I'm taking the scenario where you have an asynchronous service that Requires impersonation to a back end service you do not control (eg an SMB share or another service which requires windows auth). If you do control the back-end service, consider allowing your service to authenticate as itself then “act as” the real client.

So, under the assumption you need real impersonation, you have a couple options: S4U and C2WTS . Both are essentially ways to use SeTcbPrivilege to issue tokens for users by username (no password required). A good tutorial of both technologies is available on MSDN .

If that doesn't immediately trigger the warning bells, it should be noted that this would be a very security critical piece of code. SeTcbPrivilege by itself only affects the local machine and is therefore manageable, but if used in combination with delegation it can be used to access remote resources with the same privileges as the caller. You essentially are running your service with “domain admin” rights unless constrained and planned very carefully.