This project is read-only.

Know Your Impersonation Options

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Impersonation is used to restrict or authorize original caller’s access to a WCF service’s local resources, like files etc. There are three options available for impersonation:
  • Impersonate Using Windows Authentication
  • Impersonate Using S4U Kerberos Extensions
  • Impersonate Using LogonUser API

Impersonate Using Windows Authentication
With this option you impersonate using the Windows token, obtained from the Security Support Provider Interface (SSPI) or Kerberos authentication, or any other authentication type that cam map to windows like username authentication or certificate authentication. The Windows identity token obtained by this method is then cached on the service.

This impersonation option supports programmatic and declarative impersonation in WCF.

Impersonate Using S4U Kerberos Extensions
With this option you impersonate using a Windows token obtained from the Kerberos extensions, collectively called Service-for-User (S4U). You can use this option when your clients are authenticated using non-windows authentication like client certificates but has mapping to windows accounts, or when you want to impersonate a service account. This impersonation option supports programmatic impersonation in WCF.

Note: To impersonate at impersonation level, you must grant your process account the "Act as part of the operating system" user right.

Impersonate Using LogonUser API
With this option you impersonate using a Windows token obtained from LogonUser Windows API. You can use this option when you want to access network resources (delegation) but do not have trust for delegation or if you want to access local resources but don’t wish to give higher privileges to your WCF process identity. This option adds responsibility of maintaining the user credentials on the WCF service. This impersonation option supports programmatic impersonation in WCF.

Additional Resources

Last edited Jun 12, 2008 at 10:37 PM by prashantbansode, version 1

Comments

No comments yet.