Passing WindowsPrincipal across Remoting boundary

Hot Topic

Using an XSD to Validate an XmlDocument
shut down tcpClient for good...
System.Threading.Monitor.Enter (under the hood)
Databinding being lost (MDAC 2.81 issue??)
Visual Studio 2005 & .Net 1.1/1.0?
ApplicationSettings default path
need to implement email sending facility
Optimized Solution
Common dialog box - open file
monitor

.NET Development

Problems with a COM+ distributed transaction
Zip files in c#
Adding rows to table in Dataset
Multiplexing I/O
Authentication error with web service on https
How to catch the exception of remote server close down?
About Singleton and queed requests
Never trust a tickcount
The enterprise library (Jan 2006) assemblies are not signed
Need inputs regarding attachments using DIME, MTOM, etc

Passing WindowsPrincipal across Remoting boundary

Can anyone point me to a *good* resource that describes making my 3-tier remoting app secure I built the thing already and it works great but it has no user awareness. I want to pass the logged in user identity from client tier to middle tier and then actually run a task as that user on the server tier. Is this even possible with built in .Net functionality

thanks,

dave




Answer this question

Passing WindowsPrincipal across Remoting boundary

  • Hiral Soni

    Dave, passing the Windows identity along is supported with the HTTP when using IIS on .NET 1.1, and works with TCP and IPC outside of IIS in .NET 2.0. There's a good paper that gives background and examples for this on MSDN: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnnetsec/html/SecNetch11.asp.

    Cheers,

    JJustice [MSFT]

  • Unjedai

    John, thanks for the reply. I kept digging and found some good resources. The doc for the channel settings related to security is poor. I finally found a really good "SecureRemoting" sample that used "impersonate=true" in the app.config and that got it working. I never even saw that attribute before I looked at the sample. All I ever found was "authenticationMode=IdentityCallers" which apparently isn't even needed.

    Since I have your attention (hopefully)...

    The real crux of my problem now is the 3-tier nature of the app. Actually, that's not it either. If I go directly from client, thru middle tier, to server, all is well. The problem arises from the fact that the servers are a doing computationally intensive tasks for the client so a server may not be available at the time of the request. The request is queued up and is dispatched to a server when available. If I used Identity.GetToken how long would that token be 'good' for It actually works to create a WindowsIdentity(token) and Impersonate from that but I didn't try a long delay since it didn't make much sense to me that you should be able to keep that token around for an indefinite amount of time.

    My last plan of attack was simply to securely store the user's password and then use the Process class. While less elegant, I thought this was the most straightfwd path but, alas, SYSTEM doesn't seem to be able to spawn processes under any account except SYSTEM even if you supply the domain/user/password. I assume my server service would need to be running under an account with higher privileges but this leads to deploy/config headaches ala DCOM.

    Anyway, if any thoughts come to mind on this 'asynchronous delegation' issue let me know.

    Thanks for 'listening'

    Dave



  • Passing WindowsPrincipal across Remoting boundary
Answer this question