WCF Impersonation through configuration

4
votes

I have a simple WCF service that uses WSHttpBinding and Windows authentication. I'm trying to force the server to impersonate the client's identity upon every method call for this service.

I tried the advice given at WCF Service Impersonation, but am not exactly getting happy results. When I try to navigate to the landing page for the WCF service, I see the error:

The contract operation 'GetAdvice' requires Windows identity for automatic impersonation. A Windows identity that represents the caller is not provided by binding ('WSHttpBinding','http://tempuri.org/') for contract ('IMagicEightBallService','http://tempuri.org/'.

Any ideas on what this error's trying to tell me?

The entire solution can be browsed at ftp://petio.org/2011/07/01/MagicEightBall/ (or downloaded at http://petio.org/2011/07/01/MagicEightBall.zip). I'm just publishing the project to a local IIS folder and accessing the service at http://localhost/MagicEightBall/MagicEightBallService.svc.

Thanks!

UPDATE:

My service's Web.config:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>

  <system.serviceModel>

    <services>
      <service name="Petio.MagicEightBall.MagicEightBallService" behaviorConfiguration="MagicEightBallServiceBehavior">

        <endpoint name="WSHttpBinding_WindowsSecurity_IMagicEightBallService"
                  address="http://localhost/MagicEightBall/MagicEightBallService.svc"
                  binding="wsHttpBinding"
                  contract="Petio.MagicEightBall.IMagicEightBallService" />

        <endpoint address="mex"
                  binding="mexHttpsBinding"
                  contract="IMetadataExchange" />
      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="MagicEightBallServiceBehavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceAuthorization impersonateCallerForAllOperations="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>

  </system.serviceModel>
</configuration>

My service code:

public class MagicEightBallService : IMagicEightBallService
{
    [OperationBehavior(Impersonation=ImpersonationOption.Required)]
    public string GetAdvice()
    {
        MagicEightBall ball = new MagicEightBall();
        return ball.GetAdvice();
    }
}
1
c#wcfwindows-authenticationimpersonation

1 Answers

4
votes

What about minimizing the whole problem to simplest reproducible code which you can simply show here? Nobody is interested in downloading and reviewing whole your project. Moreover for later reference the related code should be still here.

I checked your just configurations of your project and your client code and I see two blocking issues:

  • If you want to enforce impersonation from configuration you must use only bindings with windows authentication - your endpoint exposed over HTTPS is without authentication.
  • Impersonation in WCF also requires client to allow service to impersonate his identity so setting the configuration on the service is not enough.

Here you have some article about impersonation and all necessary / possible settings.