.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Post New Web Links

Impersonation & ClientCredentials

Posted By:      Posted Date: October 25, 2010    Points: 0   Category :WCF

I'm experiencing an odd problem with Impersonation.  I've got a web service in production that requires Impersonation, and a client that uses a channel factory for a WS HTTP binding.  Here is the code that I use to generate the channel factory:

private static IReferenceListService ProductionClient
 ChannelFactory<IReferenceListService> referenceListServiceFactory =
  new ChannelFactory<IReferenceListService>("Repository.Service.IReferenceListService_Production");

 referenceListServiceFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

 return referenceListServiceFactory.CreateChannel();

Now, this code works fine both in test & production, for all users, until a week ago.  Only I am affected by this problem - all other users can still use the service fine.  I am the only person affected, and this problem only occurs when I attempt to use the production service, the test service (same code, domain etc) works fine.  Attempting to use the product

View Complete Post

More Related Resource Links

Wrong Account being used to access files - Help - No Impersonation


I run a simple .aspx website on a Windows Server 2008 machine.

There is NO impersonation, and System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITY\NETWORK SERVICE, which it the account which the application pool runs. In my web.config, I have <authentication mode="Forms">.


I tried to test the security of the application and server by removing file permissions to the .aspx files. I was greatly worried when the website continued to run without problem (it should not have been able to read the .aspx files).

By turning on file level auditing, I discovered that the .aspx files were being read by the machine$ account (if the machine is called Serv1, then the files would be read by the Serv1$ account, which seems to have access to all files on the local machine).


Is this a security breach or is this behaviour by design ?

Please can somebody assist, as I am worried.

Search Webservice Impersonation









We are looking for some help with Impersonated SharePoint Search.

We are trying to execute a search with a given user and having no luck.


We have tried the methods in this article and it’s not hiding results that the user does not have access to.

Error in Impersonation - different domain account.

Hi I am trying to stop a windows service in a server(on different domain) from my C#.NET windows application using ServiceController I am getting following error Inner Exception: {"Access is denied"} Exception Message: "Cannot open Service Control Manager on computer 'x.y.z.a'. This operation might require other privileges." Enviroment:       Windows application running on Windows 7, C#.NET, 3.5 on “ABC” DOMAIN       Target service running on Windows 2003 server. on “XYZ” DOMAIN       Port 445,135 opened between two systems Code:       ServiceController lo_WinSC = new ServiceController();       lo_WinSC.MachineName = "SYSTEMIPAddress";       lo_WinSC.ServiceName = "ServiceToBeStopped"; Some forum suggesting to impersonate account of target domain but failed to Impersonate. Error: “The security database on the server does not have a computer account for this workstation trust relationship”   Question 1: Is it possibile to impersonate account of different domain. i.e My application running on “XYZ” domain, I would like to impersonate an account “ABC” domain. Note: Port LDAP port 389 is opened between two systems. Is possb

Active Directory user impersonation with forms authentication

I've written a small ASP.NET 3.5 application to allow users to update selected account attributes on their own. Everything works fine when I use Basic Authentication, but because the dialog that is presented is less than ideal, I'd like to use forms authentication to give the users more instruction on how to log in. My problem is that in order for the user to update their account information, I have to have the application impersonate them for the update actions. I've scoured the internet trying to find a solution to my issue, but nothing fits or works. I have tried setting the web.config:<identity impersonate="true" /> but that doesn't seem to work. I also have the C# code using the WindowsImpersonationContext class, but still no luck. protected void titleTextBox_TextChanged(object sender, EventArgs e) { TextBox tb = (TextBox)sender; string fieldTitle = "job title"; string fieldName = "title"; if (userDirectoryEntry == null) CaptureUserIdentity(); try { WindowsImpersonationContext impersonationContext = userWindowsIdentity.Impersonate(); if (String.IsNullOrEmpty(tb.Text)) userDirectoryEntry.Properties[fieldName].Clear();

Documentation on impersonation of Windows LiveID with data service?

Hi There, I'm not finding any documentation on impersonating a Windows LiveID over a WCF data service. I can find documentation on Windows Auth. For example, this article is great, but its first step is "Configure Your Service to Use Windows Authentication": http://geekswithblogs.net/manesh/archive/2009/04/23/setting-up-wcf-to-impersonate-client-credentials.aspx. I'm not sure how to do this when I'm working with the LIVEID. Alternatively, and even preferably, if there's a way I can manipulate the connection string the data service is using from the WCF endpoint, that would be ideal. I need to grab some info about the user in the Silverlight app that's using the data service, and somehow impersonate that user. The user is a Windows LiveID, which is what I have hard-coded in my connection string in my web.config. Thanks!  Web: http://invoc.net

User Impersonation

Hi everyone, I'm trying to impersonate a login to change security context without successful. Any comments will be appreciated. Here is the code:   USE master GO -- Create Logins. CREATE LOGIN [UsrTest] WITH PASSWORD = '123456789', CHECK_EXPIRATION = OFF, CHECK_POLICY = OFF; CREATE LOGIN [UsrImp] WITH PASSWORD = '123456789', CHECK_EXPIRATION = OFF, CHECK_POLICY = OFF; GO -- Create users. CREATE USER [UsrTest] FOR LOGIN [UsrTest]; CREATE USER [UsrImp] FOR LOGIN [UsrImp]; -- Create Procedure to change execution context. CREATE PROCEDURE dbo.usp_User_Impersonate WITH EXECUTE AS 'UsrImp' AS SELECT a.auth_scheme FROM sys.dm_exec_connections a JOIN sys.dm_exec_sessions b ON a.session_id = b.session_id AND a.session_id = @@SPID WHERE b.login_name = ORIGINAL_LOGIN(); GO -- Permmissions. GRANT VIEW SERVER STATE TO [UsrImp]; GRANT EXECUTE ON [dbo].[usp_User_Impersonate] TO [UsrImp]; GRANT EXECUTE ON [dbo].[usp_User_Impersonate] TO [UsrTest]; GO -- Logon with UsrImp. -- Run Query = OK (SQL) EXECUTE dbo.usp_User_Impersonate; -- Logon with UsrTest -- Run Query = No resultset :( EXECUTE dbo.usp_User_Impersonate; -- Even with sysadmin login = No resultset :( EXECUTE dbo.usp_User_Impersonate; --Clean up DROP PROCEDURE dbo.usp_User_Impersonate; DROP USER [UsrImp]; DROP USER [UsrTest]; DROP LOGIN [UsrImp]; DROP LOGIN [UsrTest]; Tested on: SQL Server

Impersonation issue | Multiple domain

Hi,I am working on an Intranet site.The site is running with the following configurationWindows 2003 Server, IIS 6The users of the site come from 3 different domains (say Domain A, B, C). We have Integrated Windows Authentication turned on. App pool identity - Network Service Impersonation is turned Off in web.config. We try to impersonate the original caller programatically for one functionality where we try to access contents of a folder on shared drive by giving a UNC path. System.Security.Principal.WindowsImpersonationContext impersonationContext;impersonationContext = ((System.Security.Principal.WindowsIdentity)Context.User.Identity).Impersonate();...DirectoryInfo rootDir = new DirectoryInfo(path); DirectoryInfo[] dirContents = rootDir.GetDirectories();// We show the folders and files which can be downloaded after this ..impersonationContext.Undo();  The web server and the file share are on domain AIssue The above functionality works fine for all users coming from Domain A but for users coming in from Domain B and C get System.UnauthorizedAccessException at rootDir.GetDirectories(). But when the same users type the same UNC path from Win>Run or File Explorer, they are able to open it.The users are all coming in through IE6, so they do not have to provide their user name, password as trust has been established between all 3 domains. Can anyone please p

ASP.NET Impersonation in IIS 6

Hey guys, I have a question. Hope you must have answer for it. I am using impersonation in my ASP.NET application to access network resources. It works fine when I run on my computer, however when I setup the site on IIS6, it does not work. Is there some extra configuration, I need make in IIS for it? Any ideas?Please also know following:1. I created an account "TestUser" with the privilege as "act as operating system" on a server that has the resources which I want to access.2. The impersonation works fine on my computer, when I run from visual studio. My computer is on the network under same domain where the "TestUser" is created.3. However, when I upload the application on IIS 6.0, which is on different server. It does not work.4. In the IIS, I disabled Anonymous Access and enabled Integrated Windows authentication. Application pool is default and application pool's identity is set as -> Predefined: networkThanks for your reply.raphikdanish/raphikdanish

Create a new process in web service using delegated impersonation context

Hi, I've written an ASP.NET 2.0 web service which is consumed by a web application which goes out and gets configuration data back from newly built win2k3 servers in a large enterprise. I am using kerberos delegation and impersonation to pass through the users domain admin rights to interrogate the server which has just been built. The web pool identity (IIS 6.0) runs under a low priviledge service account. I have all the delegation part working ok. The problem I am having is that I want to programmatically kick off a process which executes a cmd line executable and redirects the output, all under the context of the user who's being impersonated. I understand that the process will be external to the impersonated thread, so will end up running under the worker process identity, which is why I'm getting an "access is denied" message. I've been reading about the CreateProcessAsUser and createprocesswithlogonw API functions but all I've seen is examples where people specifically state the username and password in their code. This is not something I can do as the environment is very secure, so what I need to do is seamlessly get the identity of the impersonated user, and some how feed that into a function which will create the process under the correct domain admins identity and feed back out the StdOuput. Is this something that can be achieved, and if so, how? Man

Invoking custom WCF service throws an Impersonation error from SQL

I've written a custom WCF service and hosted it in SharePoint. Accessing the MEX endpoint works fine. However, when I try to invoke the WCF service from my client code, I get the following error: 'A transport-level error has occurred when sending the request to the server. (provider: Shared Memory Provider, error: 0 - Either a required impersonation level was not provided, or the provided impersonation level is invalid.)'. This exception gets thrown even before my WCF service gets invoked. Attaching a debugger, I see the following stack trace associated with the exception: 00000000`0c2dd7d0 000007fe`e7589b95 System_Data_ni!System.Data.SqlClient.SqlConnection.OnError(System.Data.SqlClient.SqlException, Boolean)+0xd4 00000000`0c2dd810 000007fe`e7b7cd3b System_Data_ni!System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(System.Data.SqlClient.TdsParserStateObject)+0xf5 00000000`0c2dd870 000007fe`e758c4ee System_Data_ni!System.Data.SqlClient.TdsParserStateObject.WriteSni()+0x5f77ab 00000000`0c2dd8f0 000007fe`e758bf29 System_Data_ni!System.Data.SqlClient.TdsParserStateObject.ExecuteFlush()+0xae 00000000`0c2dd950 000007fe`e757a1c7 System_Data_ni!System.Data.SqlClient.TdsParser.TdsExecuteRPC(System.Data.SqlClient._SqlRPC[], Int32, Boolean, System.Data.Sql.SqlNotificationRequest, System.Data.SqlClient.TdsParserStateObject, Boolean)+0x1189 00000000`0c2ddbf

Connection string with password or impersonation

Which is the best solution for a program which runs as networkservice (or defined user) and needs to be connected to a database as a specific user: DbConnection ConnectionString with username and password                                          or Impersonate Windows Identity just before running the query Keep in mind security is important in my case.  

Use of Impersonation in SSAS?

Hi, I have following doubts related to Impersonation - 1. If we can access underlying database after configuring connection string, then why we need to configure Impersonation mode? What exactly impersonation does? If someone can provide me exact steps or any flow chart which clearly explains how AS engine interacts with the DB engine that would be of great help, I really want to understand this. 2. Best practices says, use Service Account as the impersonation mode but, why we should use it; what are the benefits? Also, what exactly Inherit option is? 3. I read different options of impersonatin mode in MSDN/books, but I am not able to relate them into the practical scenarios. If someone can provide which mode is good in which situation etc. would be of great help? 4. Also, why we don't need impersonation for SSIS or SSRS? If we need it at all, where we set those settings? Thanks in advance. Regards, Santosh Joshi  Josh

How to propagate WCF impersonation to COM object

I’m working on a project to write a wrapper on a COM component in WCF. COM object needs impersonation in some levels to provide certain functionalities to impersonated user. Basically any impersonation in .Net application doesn't propagate to I know if I want to impersonate inside .Net application. I’ve seen following sentence in How To: Use Impersonation and Delegation in ASP.NET 2.0 “The impersonation token does not propagate across threads if you use COM interop with components that have incompatible threading models, or if you use unmanaged techniques to create new threads” Actually I have a COM component and I want to use this component in my WCF Services. One of classes in COM object has got a property which returns current user. I wrote a console application to test impersonation and see if impersonation does propagate to COM object or not. I have an impersonation class it impersonates to passed username and password.  Following code returns different username for .net and COM object. It means it doesn’t propagate to COM object. static void Main(string[] args) { DoWork(); Console.ReadLine(); } private static void DoWork() { ImpersonateClass impersonate = new ImpersonateClass(); using (impersonate.ImpersonateUser("AnotherUser", "Domain", "passw0rd")) { COMTESTLib.TestClass obj = new CO

impersonation and Run as Administator

Hello I'm working on three-tier project that uses  LogonUser and ImpersonateLoggedInUser API calls to run connection to the database on the service side with client credentials. And there is a little security issue that I cann't find how to solve. On the Windows 2000 server service part works fine. But on the Windows 2008 server if the service application was not started with 'run administrator' option then it fails to connect to the MS SQL database with errors:  The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception.  The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception.  The type initializer for 'System.Data.SqlClient.SqlPerformanceCounters' threw an exception.  Requested registry access is not allowed.  I've found that registry key HKLM\Software\Microsoft\Microsoft SQL Server\Instance Names\SQL cann't be accessed with BAD_IMPERSONATION error in the ProcessMonitor. The code that impersonates looks like if (ImpersonateLoggedOnUser(logonToken)) // Windows API call, token was received with LogonUser API function call { message = string.Format("ImpersonateLoggedOnUser as {0}", WindowsIdentity.GetCurrent().Name); Console.WriteLine(message); Trace.WriteLine(message); string cn = "Server=SERVER_NAME;Database=DATABASE_NAME;Integrated Security=True;Multi

Using Impersonation or Certificates Across Linked Servers

We are trying to isolate the custom reporting stored procedures from our third-party SQL Server database ("SourceData" database) by placing all of those procedures in a separate database ("MyReporting" database) on a separate server. In addition, and most critically, I am trying to prevent all ad-hoc reporting (MS Access, Excel, developers) against the third-party database. To accomplish this, I grant permission to a specific user to execute a stored proc in the reporting database and then the stored proc accesses the data in the third-party database either by impersonation using EXECUTE AS or by certificates (following the model described in this MSDN article: http://msdn.microsoft.com/en-us/library/ms188304(SQL.90).aspx). However, as soon as I try to implement this model across multiple servers using Linked Servers, I am unsuccessful (with one unsatisfactory exception). As far as I can tell, I've tried every combination of option in the Linked Server setup. The unsatisfactory option it to map the reporting user to the "SourceDataID" user in the SourceData database. That works, however, that simply opens up the ability to perform ad-hoc reporting if a user connects to the reporting database since the Linked Server exposes all of the tables that the SourceDataID has access to.Below are diagrams describing how these models are setup:In this Imperso

IIS 6 Windows Authentication + ASP.NET Impersonation when application resides on a UNC share

When the application resides on a local folder, the current user ((System.Threading.Thread.CurrentPrincipal.Identity.Name) is the windows authenticated user. OK. But..when the application resides on a UNC share, the current user is the windows user configured in IIS virtual directory to access the UNC share. This is not the desired behavior in my case, what I want is to have the same behavior as in the case where the application is in a local folder (current user matches the windows authenticated user)This is configurable in some way in IIS 6 or IIS 7?   thanks in advance,Alexander Wolff  

Issue by enabling Impersonation on IIS 7.5

Dear all,I am running ASP.MVC 2 with LINQ2SQL on IIS 7.5. I have enabled Windows Authentication with ASP.NET Impersonation. Application pool is running on different domain account [Asia\TestWebUser] is part of windows group [Asia\TestUserGrp]When i enable Asp.net impersonation on MVC web site. Once i hit LogOn from the default page , it's throwing me with below error message14/9/2010 4:35:41 PM | Error | Controller | An exception occured in controller: Session, while executing action: SignOn. 14/9/2010 4:35:41 PM | Error | Controller | Error Message: An operations error occurred. , StackTrace: at System.Data.Linq.SqlClient.QueryConverter.VisitInvocation(InvocationExpression invoke) at System.Data.Linq.SqlClient.QueryConverter.VisitInner(Expression node) at System.Data.Linq.SqlClient.QueryConverter.VisitBLOCKED EXPRESSION at System.Data.Linq.SqlClient.QueryConverter.VisitMemberInit(MemberInitExpression init) at System.Data.Linq.SqlClient.QueryConverter.VisitInner(Expression node) at System.Data.Linq.SqlClient.QueryConverter.VisitSelect(Expression sequence, LambdaExpression selector) at System.Data.Linq.SqlClient.QueryConverter.VisitSequenceOperatorCall(MethodCallExpression mc) at System.Data.Linq.SqlClient.QueryConverter.VisitInner(Expression node) at System.Data.Linq.SqlClient.QueryConverter.VisitFirst(Expression sequence, LambdaExpression lambda,
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend