i have a WCF service hosted in a managed windows service. This WCF service communicate with sharepoint through the client object model in order to create, delete and update the document. My WCF service use a netTCPBinding with message security and windows authentication.
I need to retrieve the identity of the caller to have the right user under the property 'create by' of the sharepoint document.
Without activating impersonation, the wcf run under an network application account (app_svc) and when i create a document, the 'create by' property have this value: 'app_svc'
When i use impersonation, the sharepoint give me a http 401 error. The WCF service and sharepoint are not on the same machine.
How i can do it? Note that i have no rights and no access on the Active Directory and the domain controller server.
Any Help would be appreciated.
i am not familiar with sharepoint. but when you're impersonating a client and try to forward the credentials to another machine, you have to ensure the following items:
the client gets authenticated through kerberos (set SPNs)
the sharepoint authenticates users though kerberos as well (set SPNs)
delegation to the target SPNs is activated on the technical domain account of the IIS application pool / service. If it is running under a local built-in account (network service, local system etc) delegation has to be activated on the computer account object in AD.
The whole scenario is also known as double-hopp scenario.
I cannot write a complete guide here. Best you google for impersonation, delegation and double-hop.
All the steps i mentioned require access to a AD domain controller.
Related
We are building a WPF application which communicates with a WCF service (hosted in a Windows Service) for data access, business logic, etc.
The application runs on a domain user account, the WCF service on a server account.
This WCF service should send emails, create and modify events, etc by using the domain user account. Communicating with Office 365 will be done by Microsoft Graph API, using MSAL and Microsoft Graph Library.
The domains active directory and Azure Active Directory are connected.
How can I connect the Graphs GraphServiceClient using the WCF's ServiceSecurityContext without login dialog? (Map a domain user on a AAD user).
Are there any samples available?
What you are looking for is a sample for a 'daemon' service. There is documentation here on this.
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon-certificate-credential/
Essentially you'll need to create a certificate and register it with the Azure AD application. Then when calling the Microsoft Graph, use that certificate so that thee service trusts its really your service.
I installed a MVC 5 web application on a cloud hosted server. It uses Windows authentication. The company itself uses a different domain than the servers in the cloud use.
For example. The company uses xycom as domain and the cloud computers use xycloudcom as domain.
The xycloudcom servers have access to the AD controller of the xycom domain.
Now I installed an application on the cloud server. It has only Windows Authentication enabled and all works fine when accessing from a computer and account in xycom domain.
The only issue is that I am not able to open the website from the server itself. It opens a dialog asking me for my credentials. If I enter them (my xycom account) I get a 401 Unauthorized.
If I enable Anonymous authentication I can open the web site. So it's not a DNS issue.
Can someone help to solve this issue since I need to trigger an action by a console application in ScheduledTasks using a web request.
Server is Windows 2012 R2.
You will not be able to open the site from the server, if that server is not on the same domain.
The integrated windows authentication would work only if there is a trust between your Cloud VM's domain and the xycom comain.
Hope this helps.
I have a remote WCF service where I have implemented a custom authorization manager. As part of authorization I grab the windows identity of the client to perform some custom authorization.
The issue I am having is that the client process is running as 'UserA', but when it sends a request to the remote service on ServerX, the service sees 'UserB'.
I have established that this is happening as I have asked windows to cache client credentials for account 'UserB' when I have connected to ServerX at some stage in the past (e.g. via RDP). This is quite a common pattern as many devs have a 'user' account and an 'admin' account and frequently configure windows to cache credentials for their 'admin' accounts when connecting to remote machines.
I know how to manually clear items from the windows credential cache, but how can I prevent WCF from using the cache i.e. so that the client process identity is always used.
I'm trying to use the object model of Sharepoint 2007 to make some changes over a list and read users and groups web settings...
For that I developed a Web Service (WCF) that is stored in the same web application as the sharepoint site in IIS.
Thats working.
I call inside the Web service
SPContext.Current.Web.CurrentUser
and thats user is not me, is "Sharepoint\System"
Why?
Other thing is that web I try to get all users using
SPContext.Current.Web.users
that only contain "Sharepoint\System", not the others.
WHY!!!
I give the full trust in the web.config and use the Ntlm authentication method.
It sounds to me like the issue is the account that your web service is running under. I would change the application pool that your web service is using and set the identity to a named account. Then, when you query the current user in Sharepoint, you should see the named account you identified in the application pool.
You did follow this guide?
http://blah.winsmarts.com/2008-9-Getting_SPContextCurrent_in_a_SharePoint_2007_WCF_Service.aspx
This is what I wish to achieve:
My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.
I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?
You can use standard HTTP Authentication to control which applications have access to your web service.
Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.
I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.
Here are a few articles that may be helpful:
HTTP Security and ASP.NET Web Services (see Authentication section)
Authentication in ASP.NET Web Services
Good luck!
Not really.
A certificate secures the transmission between the client and server domain. It doesn't really work to have multiple certificates for multiple subdirectories.
What you'd want to do is to create a login service that returns a token. You then use that token to manage the session on the server side and the client uses it along with every subsequent request to access and execute the available services. (can this token access this webservice? t/f)
You're going to have to give the client access to some sort of credentials. Whether that is a certificate exchange or a user/pass you're going to have to figure out who the client actually is.