WCF hosted in window and client object sharepoint 2010 - impersonation

0
votes

i have a WCF service hosted in a managed windows service. This WCF service communicate with sharepoint through the client object model in order to create, delete and update the document. My WCF service use a netTCPBinding with message security and windows authentication.

I need to retrieve the identity of the caller to have the right user under the property 'create by' of the sharepoint document.

Without activating impersonation, the wcf run under an network application account (app_svc) and when i create a document, the 'create by' property have this value: 'app_svc'

When i use impersonation, the sharepoint give me a http 401 error. The WCF service and sharepoint are not on the same machine.

How i can do it? Note that i have no rights and no access on the Active Directory and the domain controller server.

Any Help would be appreciated.

1
c#wcfsharepointimpersonationsharepoint-clientobject

1 Answers

0
votes

i am not familiar with sharepoint. but when you're impersonating a client and try to forward the credentials to another machine, you have to ensure the following items:

  • the client gets authenticated through kerberos (set SPNs)
  • the sharepoint authenticates users though kerberos as well (set SPNs)
  • delegation to the target SPNs is activated on the technical domain account of the IIS application pool / service. If it is running under a local built-in account (network service, local system etc) delegation has to be activated on the computer account object in AD.

The whole scenario is also known as double-hopp scenario. I cannot write a complete guide here. Best you google for impersonation, delegation and double-hop.

All the steps i mentioned require access to a AD domain controller.