Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > S4U Kerberos for calling WCF services

Reply
Thread Tools

S4U Kerberos for calling WCF services

 
 
Alhambra Eidos Kiquenet
Guest
Posts: n/a
 
      02-06-2008
Hi all, misters

I have an ASP .NET 2.0 application , that uses WCF services.

I want use S4U Kerberos for calling WCF services using delegate account.

The application runs under Windows integrated authentication and anonymous
access is turned off.

My code is similar like this:

//declare for p/invoke
[DllImport(@"advapi32.dll")]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);

[DllImport(@"Kernel32.dll")]
public static extern int GetLastError();

[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);

private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private const int SecurityImpersonation = 2;

public void Switch(string userName, string password, string domain)
{

try
{

IntPtr token = IntPtr.Zero;
impersonationContext = null;

// log on con la cuenta de usuario dada
bool loggedOn = LogonUser(
// Usuario
userName,
// Máquina o nombre del dominio.
domain,
password,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
// The user token for the specified user is returned here.
out token);

if (loggedOn == false)
{
throw new System.Security.SecurityException(userName + " logon failed");
}

IntPtr tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null; //duplicate the security token
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate();
}
else
{
throw new System.Security.SecurityException("Logon use failed");
}
}
catch (Exception ex)
{
throw ex;
}
} // public void Switch (string userName, string password, string domain)


this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name);


Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);

//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denied

WindowsIdentity identity = new WindowsIdentity("(E-Mail Removed)"); // I
get error: Attempted to perform an unauthorized operation

identity.Impersonate();

// CALLIN WCF Service
using (AgenteTareas agenteTareas = new AgenteTareas())

{

TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();

this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );

}

UndoSwitch();

I get an error: Attempted to perform an unauthorized operation

Any help will be appreciated and grateful. Best regards. Thanks in advance.




--
http://www.alhambra-eidos.es/web2005/index.html
www.kiquenet.net
http://www.setbb.com/putainformatica...opic.php?p=843
www.trabajobasura.com/solusoft

 
Reply With Quote
 
 
 
 
Dominick Baier
Guest
Posts: n/a
 
      02-06-2008
S4U has very specific pre-requisites:

- machine must be Windows 2003 +
- machine must run in a native win2003 domain
- you can only delegate via constrained delegaiton
- worker process account needs the SeImpersonatePrivilege

is this all the case?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Hi all, misters
>
> I have an ASP .NET 2.0 application , that uses WCF services.
>
> I want use S4U Kerberos for calling WCF services using delegate
> account.
>
> The application runs under Windows integrated authentication and
> anonymous access is turned off.
>
> My code is similar like this:
>
> //declare for p/invoke
> [DllImport(@"advapi32.dll")]
> public static extern bool LogonUser(String lpszUsername, String
> lpszDomain,
> String lpszPassword,int dwLogonType, int dwLogonProvider, out
> System.IntPtr
> phToken);
> [DllImport(@"Kernel32.dll")]
> public static extern int GetLastError();
> [DllImport(@"advapi32.dll", CharSet =
> System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
> public extern static bool DuplicateToken(IntPtr hToken,int
> impersonationLevel,ref IntPtr hNewToken);
>
> private const int LOGON32_LOGON_INTERACTIVE = 2;
> private const int LOGON32_PROVIDER_DEFAULT = 0;
> private const int SecurityImpersonation = 2;
> public void Switch(string userName, string password, string domain) {
>
> try
> {
> IntPtr token = IntPtr.Zero;
> impersonationContext = null;
> // log on con la cuenta de usuario dada
> bool loggedOn = LogonUser(
> // Usuario
> userName,
> // Máquina o nombre del dominio.
> domain,
> password,
> LOGON32_LOGON_INTERACTIVE,
> LOGON32_PROVIDER_DEFAULT,
> // The user token for the specified user is returned here.
> out token);
> if (loggedOn == false)
> {
> throw new System.Security.SecurityException(userName + " logon
> failed");
> }
> IntPtr tokenDuplicate = IntPtr.Zero;
> WindowsIdentity tempWindowsIdentity = null; //duplicate the security
> token
> if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate)
> != false)
> {
> tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> // Camia el actual "runAs" del hilo al nuevo Windows Identity
> impersonationContext = tempWindowsIdentity.Impersonate();
> }
> else
> {
> throw new System.Security.SecurityException("Logon use failed");
> }
> }
> catch (Exception ex)
> {
> throw ex;
> }
> } // public void Switch (string userName, string password, string
> domain)
> this.Response.Write(" WindowsIdentity: " +
> WindowsIdentity.GetCurrent().Name);
>
> Switch(S4U_USER, S4U_PASS, S4U_DOMAIN);
>
> //this.Response.Write(" WindowsIdentity: " +
> WindowsIdentity.GetCurrent().Name); // Error: Access denied
>
> WindowsIdentity identity = new WindowsIdentity("(E-Mail Removed)");
> // I get error: Attempted to perform an unauthorized operation
>
> identity.Impersonate();
>
> // CALLIN WCF Service
> using (AgenteTareas agenteTareas = new AgenteTareas())
> {
>
> TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada();
>
> this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
> tarea.ToString() }) );
>
> }
>
> UndoSwitch();
>
> I get an error: Attempted to perform an unauthorized operation
>
> Any help will be appreciated and grateful. Best regards. Thanks in
> advance.
>



 
Reply With Quote
 
 
 
 
Alhambra Eidos Kiquenet
Guest
Posts: n/a
 
      02-06-2008
Hi mister,

all pre-requisites is ok.

Greetings

"Dominick Baier" wrote:

> S4U has very specific pre-requisites:
>
> - machine must be Windows 2003 +
> - machine must run in a native win2003 domain
> - you can only delegate via constrained delegaiton
> - worker process account needs the SeImpersonatePrivilege
>
> is this all the case?
>


 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      02-06-2008
Also, the "strength" of the token generated by S4U depends on whether the
calling process has SeTcbName privilege (act as part of the operating
system). If yes, then the token is an impersonation token. If no, the
token is an identify level token.

The identity level token can still be impersonated in code, but it cannot be
used to access any secure objects on the local system like a file or
something.

Technically, it is possible to be able to delegate an identify level token
but in practice it is very hard to make this work. For example, if you
impersonate such a token and use DefaultCredentials with an HttpWebRequest
object, it will usually fail before the remote call is made because .NET
will try to read a configuration file on the local machine and that
operation will fail. I would not be surprised if similar problems occurred
with WCF.

So, in practice it is very hard to get practical code examples to work if
the ability to impersonate locally is not enabled. As such, the calling
process may need SeTcbName privilege. If you want to do it the right way,
refer to Keith Brown's fairly recent MSDN mag article discussing this
problem where he demonstrates the proper technique for putting the S4U login
in an external process with elevated rights and copying the generated token
back into the original process.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Alhambra Eidos Kiquenet" <(E-Mail Removed) >
wrote in message news:(E-Mail Removed)...
> Hi mister,
>
> all pre-requisites is ok.
>
> Greetings
>
> "Dominick Baier" wrote:
>
>> S4U has very specific pre-requisites:
>>
>> - machine must be Windows 2003 +
>> - machine must run in a native win2003 domain
>> - you can only delegate via constrained delegaiton
>> - worker process account needs the SeImpersonatePrivilege
>>
>> is this all the case?
>>

>



 
Reply With Quote
 
Michel Baladi
Guest
Posts: n/a
 
      06-30-2010
I have noticed that even if the account has SeTcbName privilege, it may still get an "identify" token if UAC is enabled and the client doesn't run as administrator.

Allways check/assert the value of the ImpersonationLevel property of the WindowsIdentity object.



Dominick Baier wrote:

Re: S4U Kerberos for calling WCF services
06-Feb-08

S4U has very specific pre-requisites

- machine must be Windows 2003
- machine must run in a native win2003 domai
- you can only delegate via constrained delegaito
- worker process account needs the SeImpersonatePrivileg

is this all the case

----
Dominick Baier (http://www.leastprivilege.com

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Previous Posts In This Thread:

On Wednesday, February 06, 2008 5:21 AM
AlhambraEidosKiquene wrote:

S4U Kerberos for calling WCF services
Hi all, mister

I have an ASP .NET 2.0 application , that uses WCF services.

I want use S4U Kerberos for calling WCF services using delegate account

The application runs under Windows integrated authentication and anonymous
access is turned off

My code is similar like this

//declare for p/invok
[DllImport(@"advapi32.dll")
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword,int dwLogonType, int dwLogonProvider, out System.IntPtr
phToken);

[DllImport(@"Kernel32.dll")
public static extern int GetLastError()

[DllImport(@"advapi32.dll", CharSet =
System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)
public extern static bool DuplicateToken(IntPtr hToken,int
impersonationLevel,ref IntPtr hNewToken);

private const int LOGON32_LOGON_INTERACTIVE = 2
private const int LOGON32_PROVIDER_DEFAULT = 0
private const int SecurityImpersonation = 2

public void Switch(string userName, string password, string domain


tr


IntPtr token = IntPtr.Zero
impersonationContext = null

// log on con la cuenta de usuario dad
bool loggedOn = LogonUser
// Usuari
userName
// M??quina o nombre del dominio
domain
password
LOGON32_LOGON_INTERACTIVE
LOGON32_PROVIDER_DEFAULT
// The user token for the specified user is returned here
out token);

if (loggedOn == false

throw new System.Security.SecurityException(userName + " logon failed")


IntPtr tokenDuplicate = IntPtr.Zero
WindowsIdentity tempWindowsIdentity = null; //duplicate the security toke
if (DuplicateToken(token, SecurityImpersonation, ref tokenDuplicate) != false

tempWindowsIdentity = new WindowsIdentity(tokenDuplicate)
// Camia el actual "runAs" del hilo al nuevo Windows Identity
impersonationContext = tempWindowsIdentity.Impersonate()

els

throw new System.Security.SecurityException("Logon use failed")


catch (Exception ex

throw ex

} // public void Switch (string userName, string password, string domain)

this.Response.Write(" WindowsIdentity: " + WindowsIdentity.GetCurrent().Name)

Switch(S4U_USER, S4U_PASS, S4U_DOMAIN)

//this.Response.Write(" WindowsIdentity: " +
WindowsIdentity.GetCurrent().Name); // Error: Access denie

WindowsIdentity identity = new WindowsIdentity("(E-Mail Removed)"); // I
get error: Attempted to perform an unauthorized operation

identity.Impersonate()

// CALLIN WCF Servic
using (AgenteTareas agenteTareas = new AgenteTareas())



TareaWorkflow tarea = agenteTareas.ObtenerNuevaTareaNoFinalizada()

this.Response.Write( string.Format("Tarea nueva {0} ", new object[] {
tarea.ToString() }) );



UndoSwitch()

I get an error: Attempted to perform an unauthorized operatio

Any help will be appreciated and grateful. Best regards. Thanks in advance


--
http://www.alhambra-eidos.es/web2005/index.htm
www.kiquenet.ne
http://www.setbb.com/putainformatica/viewtopic.php?p=84
www.trabajobasura.com/solusoft

On Wednesday, February 06, 2008 6:11 AM
Dominick Baier wrote:

Re: S4U Kerberos for calling WCF services
S4U has very specific pre-requisites

- machine must be Windows 2003
- machine must run in a native win2003 domai
- you can only delegate via constrained delegaito
- worker process account needs the SeImpersonatePrivilege

is this all the case?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

On Wednesday, February 06, 2008 6:52 AM
AlhambraEidosKiquene wrote:

Re: S4U Kerberos for calling WCF services
Hi mister,

all pre-requisites is ok.

Greetings

"Dominick Baier" wrote:

On Wednesday, February 06, 2008 9:33 AM
Joe Kaplan wrote:

Also, the "strength" of the token generated by S4U depends on whether the
Also, the "strength" of the token generated by S4U depends on whether the
calling process has SeTcbName privilege (act as part of the operating
system). If yes, then the token is an impersonation token. If no, the
token is an identify level token.

The identity level token can still be impersonated in code, but it cannot be
used to access any secure objects on the local system like a file or
something.

Technically, it is possible to be able to delegate an identify level token
but in practice it is very hard to make this work. For example, if you
impersonate such a token and use DefaultCredentials with an HttpWebRequest
object, it will usually fail before the remote call is made because .NET
will try to read a configuration file on the local machine and that
operation will fail. I would not be surprised if similar problems occurred
with WCF.

So, in practice it is very hard to get practical code examples to work if
the ability to impersonate locally is not enabled. As such, the calling
process may need SeTcbName privilege. If you want to do it the right way,
refer to Keith Brown's fairly recent MSDN mag article discussing this
problem where he demonstrates the proper technique for putting the S4U login
in an external process with elevated rights and copying the generated token
back into the original process.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Alhambra Eidos Kiquenet" <(E-Mail Removed) >
wrote in message news:(E-Mail Removed)...


Submitted via EggHeadCafe - Software Developer Portal of Choice
Task Parallelism in C# 4.0 with System.Threading.Tasks
http://www.eggheadcafe.com/tutorials...dingtasks.aspx
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AJAX enabled WCF Service Vs Standard WCF Service Simon ASP .Net 0 10-13-2009 09:13 AM
WCF and Kerberos Rob Vettor ASP .Net Web Services 1 11-13-2007 08:58 PM
Expired Tickets - Delegation vs S4U Nicholas Hadlee ASP .Net Security 3 11-27-2006 05:34 AM
Kerberos Decrypted - Interesting URLs on how kerberos work ii.unforgiven@gmail.com Computer Security 1 07-04-2006 07:37 AM
Delegation with S4U or How to use S4U to impersonate a user on a remote server? Borislav Marinov ASP .Net Security 9 10-14-2005 04:24 AM



Advertisments