Sharepoint Impersonate external web service call

0
votes

I created a web service running on different machine/IIS than my SharePoint (2013) application node (the double hop issue kicks in). I expose this web service to other services in our company.

Below code snippet will successfully retrieve a SharePoint list using dedicated credentials (i.e. "sp_admin_user").

In my web service I can retrieve the username (w/o password ofc) of a user calling it which also exists in SharePoint by rule.

My question: How do I need to change below code to facilitate impersonation with above username?

 [WebMethod]
 [ScriptMethod(ResponseFormat = ResponseFormat.Json)]
 public string get_sp_list()
    {
    SPLists.Lists myservice = new SPLists.Lists();
    myservice.Credentials = new System.Net.NetworkCredential( "sp_admin_user", "password123", "domain" );
    myservice.Url = "https://sharepoint.company.com/sites/testground/_vti_bin/Lists.asmx";
    [.. setting of variables ..]
    System.Xml.XmlNode n = myservice.GetListItems(
        sidList,
        sidView, 
        query, 
        viewFields, 
        rowLimit, 
        queryOptions, 
        null
    );
    [.. compose json ..]
    return json;
 }
1
c#web-servicessharepointimpersonation

1 Answers

1
votes

The only user you can impersonate without password is SharePoint IIS Application Pool user (its often NETWORK SERVICE). To impersonate user which is accessing SharePoint pages the computer where SharePoint is running need to have delegation rights to the external service. You can read about it here. This is all about security restrictions.

I advise you to reject impersonation approach, its much more easier to deal with passwords, make anonymous web service call or invent something else.

You can impersonate user like this:

using (var ctx = WindowsIdentity.Impersonate(IntPtr.Zero))
{
    //external web service call as "COMPUTER_NAME\NETWORK_SERVICE" user
}

You can also get real user token (not IntPtr.Zero) if you have password.