WCF impersonation/ Authentication

Question

I've seen through the examples for impersonation but I'm still having issue.

Some details of the structure:

ASP.net: Windows authentication
WCF: hosted in IIS, currently working using allow anonymous user

What I want to achieve is to allow the authenticated Windows login to be passed to the WCF for access control like blocking anonymous users from trying to call the service.

When using the ASP.net application, if the computer is logged in as administrator, but fails at Active Directory as it is not a defined user under the AD, a popup by the browser will prompt for the userid and password.

When prompted, user will then enter the correct user id and password corresponding to the AD. Hence, login passed.
But when I passed the window authentication credential to WCF using WCF's impersonate, it shows me as administrator instead of the ASP.net authenticated user information.

What should I do to get the correct ASP.net authenticated user information instead of what the user login in Windows.

Answer 1

In your ASP.Net application you have to set <identity impersonate="true"/> in your web.config.

Then you would have to add impersonation to your call to the WCF service with something like this inside the ASP.Net app:

using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
    WebClient client = new WebClient
       {
        Credentials = CredentialCache.DefaultNetworkCredentials
       };
    string result = client.DownloadString("http://someserver");
}

Also check out patterns & practices: WCF Security Guidance for a step by step tutorial on how to add impersonation on WCF calls from a web app.