c2WTS (Claims to windows token service) in .net 4.5

6
votes

I need to get a Windows token from from Claims. The solution is a Claims Aware WCF webservice that uses ADFS 2.0 and runs in IIS ASP.NET 4.0. (The kerberos token is needed towards impersonated database access)

In .NET 3.5 and 4.0 the c2WTS Service is used to get Windows Identity from claims:

WindowsIdentity winId = S4UClient.UpnLogon(upn);

But the documentation for the c2WTS states the following: "...[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4..."

What would be the equivalent of c2WTS in .NET 4.5?

2
.netwcf.net-4.5claims-based-identityadfs2.0

2 Answers

5
votes

There is no equivalent. But you can still install WIF to get the C2WTS service.

The Saml security token handler has the MapToWindows feature that return a Windows identity. This is similar to what C2WTS does - but

1) the windows identity can only be used for authorization locally - to impersonate you would need SYSTEM privileges. This is what C2WTS runs under. 2) to delegate the token you need to configure constrained delegation in AD (just like with C2WTS)

0
votes

S4U is built in at this point in time. You don't need C2WTS. You can just do:

var id = new WindowsIdentity(valueFromClaim);
// continue your impersonation

For service calls, if you set the credentials to DefaultCredentials, you should be ok as this appears to execute the ToWindowsIdentity on the SAML token handler.

Since you're going to Oracle, you may need to explicitly create a Windows context and impersonate (see: Creating a service for user (S4U) token).

All of that said, you must have constrained delegation configured correctly or the delegation will not function.