Re: <identity impersonat=> problems.
From: Paul Clement (UseAdddressAtEndofMessage_at_swspectrum.com)
Date: 08/02/05
- Next message: albier: "Authorization against AD using MC++"
- Previous message: nobody101_at_comcast.net: "<identity impersonat=> problems."
- In reply to: nobody101_at_comcast.net: "<identity impersonat=> problems."
- Next in thread: nobody101_at_comcast.net: "Re: <identity impersonat=> problems."
- Reply: nobody101_at_comcast.net: "Re: <identity impersonat=> problems."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 02 Aug 2005 13:12:24 -0500
On 2 Aug 2005 09:54:30 -0700, "nobody101@comcast.net" <nobody101@comcast.net> wrote:
¤
¤
¤ I have a web service configured with Anonymous access disabled.
¤ The calling client, prior to executing a method on the service,
¤ sets its network credentials for the IIS to authenticate:
¤
¤
¤ CredentialCache cacheVU = new CredentialCache();
¤ cacheVU.Add( new Uri(<my url here>), "Negotiate",new
¤ NetworkCredential( Username, Password, Domain) );
¤
¤
¤ WebServiceProxy.Credentials = cacheVU;
¤
¤
¤ My web service method works OK. However, I need to access a network
¤ share, so I wanted to use the
¤
¤
¤ <identity impersonate="true" />
¤
¤
¤ setting in my web service's web.config file. However,
¤ when I try to access the remote share, I get an access denied error:
¤ Access to the path "..." is denied
¤
¤
¤ However, if I change the <identity> element and add the "username"
¤ and "password" attributes - which are the same username and password
¤ that the web service authentication use, it works OK.
¤
¤
¤ I thought the <identity> w/o the username/password should
¤ inherit the user context.
¤
¤
¤ I added some debug statements, and displayed:
¤
¤
¤ - Thread.CurrentPrincipal.Identity
¤ - WindowsIdentity.GetCurrent
¤ - User.Identity
¤
¤
¤ and in both cases ( with and without explicit username/password in the
¤ <identity> element), the
¤ dumped names are the same, so I am assuming the impersonation is
¤ enabled. So, why are my access rights denied for the case w/o the
¤ explicit username/password defined?
Probably because you cannot impersonate and delegate the encrypted credentials (authenticated via
IIS) to the remote server in order to access the resource. This is not supported through Integrated
Windows authentication. It would probably work with Basic authentication. When using the web.config
identity you not only have the credentials to delegate but they are unencrypted.
You may want to check the following article on delegation:
Paul
~~~~
Microsoft MVP (Visual Basic)
- Next message: albier: "Authorization against AD using MC++"
- Previous message: nobody101_at_comcast.net: "<identity impersonat=> problems."
- In reply to: nobody101_at_comcast.net: "<identity impersonat=> problems."
- Next in thread: nobody101_at_comcast.net: "Re: <identity impersonat=> problems."
- Reply: nobody101_at_comcast.net: "Re: <identity impersonat=> problems."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
