«

I have a web site. It's business layer is accessed through another web
service. Both are hosted on IIS.

When this application is deployed on the intranet, we have people access it
through their AD accounts. Ideally, we want to pass the Windows Identity that
is accessing the website through to the business web service layer. The web
service layer then grabs the roles from AzMan and returns a custom identity
class (that implements IIdentity).

The problem I am having is that both the web site and web service have to
have <identity impersonate="true" /> in order for the web service to get the
client's identity. We don't want the web site to use the client identity. We
want the web site to run under ASPNET / Network Service (i.e. the identity
assigned for the App Pool).

Hi Noremac,

For your scenario, you need to pass the windows identity from the ASP.NET
application to the webservice application without enable impersonate in
ASP.NET web application ,correct?

I assume that your web application and webservice are on the same server
machine(other wise, we can not forward client authenticated user token
across multiple machine boundary--- double hop).

Then, if you do not to imperonate your ASP.NET application through
<web.config>, you can consider the following means:

**use programmatic impersonate. Thus, you can put impersonate code only at
the function where you'll call the webservice. Since you've used "windows"
authentication in ASP.NET web app, you can use the authenticated user
identity(through Context.User.Identity) to perform the impersonate. Here
are two articles that may help you:

#How To: Use Windows Authentication in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998358.aspx

#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998351.aspx

How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.








--------------------
>From: =?Utf-8?B?Tm9yZW1hYw==?= <>
>Subject: Pass through Windows Identity to Web Service
>Date: Thu, 15 Nov 2007 11:25:04 -0800

>
>I have a web site. It's business layer is accessed through another web
>service. Both are hosted on IIS.
>
>When this application is deployed on the intranet, we have people access
it
>through their AD accounts. Ideally, we want to pass the Windows Identity
that
>is accessing the website through to the business web service layer. The
web
>service layer then grabs the roles from AzMan and returns a custom
identity
>class (that implements IIdentity).
>
>The problem I am having is that both the web site and web service have to
>have <identity impersonate="true" /> in order for the web service to get
the
>client's identity. We don't want the web site to use the client identity.
We
>want the web site to run under ASPNET / Network Service (i.e. the identity
>assigned for the App Pool).
>
>
>

Hi Noremac,

Have you got any further idea on this issue? If you need any other help,
please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
>From: (Steven Cheng[MSFT])
>Organization: Microsoft
>Date: Fri, 16 Nov 2007 04:29:09 GMT
>Subject: RE: Pass through Windows Identity to Web Service

>
>Hi Noremac,
>
>For your scenario, you need to pass the windows identity from the ASP.NET
>application to the webservice application without enable impersonate in
>ASP.NET web application ,correct?
>
>I assume that your web application and webservice are on the same server
>machine(other wise, we can not forward client authenticated user token
>across multiple machine boundary--- double hop).
>
>Then, if you do not to imperonate your ASP.NET application through
><web.config>, you can consider the following means:
>
>**use programmatic impersonate. Thus, you can put impersonate code only at
>the function where you'll call the webservice. Since you've used "windows"
>authentication in ASP.NET web app, you can use the authenticated user
>identity(through Context.User.Identity) to perform the impersonate. Here
>are two articles that may help you:
>
>#How To: Use Windows Authentication in ASP.NET 2.0
>http://msdn2.microsoft.com/en-us/library/ms998358.aspx
>
>#How To: Use Impersonation and Delegation in ASP.NET 2.0
>http://msdn2.microsoft.com/en-us/library/ms998351.aspx
>
>How do you think?
>
>Sincerely,
>
>Steven Cheng
>
>Microsoft MSDN Online Support Lead
>
>
>
>================================================= =
>
>Get notification to my posts through email? Please refer to
>http://msdn.microsoft.com/subscripti...ault.aspx#noti
f
>ications.
>
>
>
>Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
>where an initial response from the community or a Microsoft Support
>Engineer within 1 business day is acceptable. Please note that each follow
>up response may take approximately 2 business days as the support
>professional working with you may need further investigation to reach the
>most efficient resolution. The offering is not appropriate for situations
>that require urgent, real-time or phone-based interactions or complex
>project analysis and dump analysis issues. Issues of this nature are best
>handled working with a dedicated Microsoft Support Engineer by contacting
>Microsoft Customer Support Services (CSS) at
>http://msdn.microsoft.com/subscripti...t/default.aspx.
>
>================================================= =
>
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>
>
>
>
>--------------------
>>From: =?Utf-8?B?Tm9yZW1hYw==?= <>
>>Subject: Pass through Windows Identity to Web Service
>>Date: Thu, 15 Nov 2007 11:25:04 -0800
>
>>
>>I have a web site. It's business layer is accessed through another web
>>service. Both are hosted on IIS.
>>
>>When this application is deployed on the intranet, we have people access
>it
>>through their AD accounts. Ideally, we want to pass the Windows Identity
>that
>>is accessing the website through to the business web service layer. The
>web
>>service layer then grabs the roles from AzMan and returns a custom
>identity
>>class (that implements IIdentity).
>>
>>The problem I am having is that both the web site and web service have to
>>have <identity impersonate="true" /> in order for the web service to get
>the
>>client's identity. We don't want the web site to use the client identity.
>We
>>want the web site to run under ASPNET / Network Service (i.e. the
identity
>>assigned for the App Pool).
>>
>>
>>
>
>