Service Identities in February CTP

Hot Topic

VSS 2005 RTM setup failes on Win2k
ComboBox was tried.
AssemblyInfo task
installation and SQL
Three examples I'd like to see from the Avalon ATC team
Custom connector target (June CTP)
VS 2005 Help Integration Wizard - Where?
How to Change Null Value Parameter Prompt Checkbox
TrackChanges Issue
Indigo on Windows 2003 Server Web Edition

Visual Studio

Web project contained language code support interface
Reflecting over source code from macro
Visual Studio Tools fo office
Deploying Crystal Reports Web Application
Access/Create DOM for MailItem.HTMLBody and Open Contact by EntryID
ListView performance when resizing columns.
objectdataprovider.refresh()
what is the easiest way to update the folder on my webserver with VSS ?
Does .net 2003 Academic validate VS 2005 Pro Upgrade?
StoredProcedure, parameters not working in Crystal .Net loading

Service Identities in February CTP

What exactly is the relation between following identies in the context of a WCF service:


System.Threading.Thread.CurrentPrincipal.Identity

ServiceSecurityContext.Current.PrimaryIdentity

ServiceSecurityContext.Current.WindowsIdentity


Are they all referring to the same identity when a service is configured with Windows security

Thanks.



Answer this question

Service Identities in February CTP

  • Philip Puffinburger

    The ServiceSecurityContext.WindowsIdentity will provide you with the id of the calling client (assuming they provided it). The Thread currentPrincipal will provide you with the id of the user running the thread. So, for example, if you have a self hosted server running as Bob and you have a client, Alice calling it, your SSC.WindowsIdentity will be Alice, and the Thread current principal will be Bob unless you're impersonating, then the thread will be running as Alice as well.

    Hope that helps.

    Thanks!

    Scott



  • Matt Winkler -- MSFT

    I had a different story. I configured IIS to be the host and it is running under ASPNET on xp. The virtual directory for WCF service is set to both anonymous and integrated windows authentication. The service method is not enforcing impersonation through attribute or coding. The service is set to message security with windows client credentials.


    The current thread principal's identity in the serivce shows caller's identity (i.e. not ASPNET). This puzzled me. When I looked at the ImpersonationLevel of the current thread's identity, it showed me "Identify".



  • Mark Langan

    Thanks for the quick response. If the service is set to message security with windows client credentials (in wsHttpBinding) and there is no forced impersonation (in the form of the attribute) on the operation, is it safe to say WindowsIdentity from the security context is same as System.Threading.Thread.CurrentPrincipal.Identity If this is not the case, what configuration would make them identical

    Thanks.

    Raghu/..



  • Seth Webster

    I assume you're refering to the OperationContext.ServiceSecurityContext.

    the PrimaryIdentity will return an generic object implementing IIdentity. WindowsIdentity also implements IIdentity but is specific to Windows accounts. So for example if you examine the PrincipalIdentity or the WindowsIdentity .Name property you should see your windows account that the client used for credentials. If you used a cert for client credentials the PrincipalIdentity.Name would return the x509 cert subject name and the WindowsIdentity would be empty.

    The Thread Identity is just who the thread is running as. So if you use the WindowsIdentity to impersonate:

    OperationContext oc = OperationContext.Current;
    WindowsIdentity caller = oc.ServiceSecurityContext.WindowsIdentity;
    if (caller == null)
    {
    Console.WriteLine("No Windows ID from caller");
    return ("Not gonna happen");
    }
    WindowsImpersonationContext wic = caller.Impersonate();
    username = Environment.UserDomainName + "\\" + System.Threading.Thread.CurrentPrincipal.Identity.Name;
    Console.WriteLine("Now the method running as: " + username);
    wic.Undo();

    You will see the username variable set to the client's id.

    Thanks!

    Scott



  • Service Identities in February CTP
Answer this question