1

When Impersonating a client to a web service, do I need to call it once, or do I need to call it several times, each times I call the client essentially.

client.ClientCredentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Impersonation;

I call my client several times in the course of my controllers. I only call this once. I can't seem to get past the first page of my website though (this website an MVC2 website) calls my WCF webservice.

A little confused here. If you guys can be of any help I would greatly appreciate it. Thanks.

Ladislav Mrnka
  • 349,807
  • 56
  • 643
  • 654
SoftwareSavant
  • 8,456
  • 26
  • 107
  • 186

1 Answers1

1

Impersonation is allowed per proxy (client channel) instance so if you create a new proxy instance (a client) for different controllers / actions you have to configure it for each proxy instance. Once you have created instance you can do multiple calls to the service on that instance and it will correctly impersonate the client. Be aware that you should create a new proxy instance for each MVC action which needs to communicate with WCF service.

Btw. Are you trying to impersonate an original user (the user accessing your MVC application) or an user account running AppPool hosting the MVC application? If the first case is your scenario you can have problems because impersonation is limited to a single network hop. That means that an user can be impersonated on the server hosting the MVC application (first hop) but if the WCF service will be on an another server (second hop) impersonation will not work there (because of single hop limitation). In such scenarios you need delegation instead of impersonation and delegation requires correctly configured Kerberos.

Ladislav Mrnka
  • 349,807
  • 56
  • 643
  • 654
  • Could you please elaborate those two choices a bit further. It sounds like I am doing the first one. My MVC website, runs on one server, I need to get the user AD information that he logs in with (windows authentication) and have it accessible to the WCF service that I have written. Let me look up delegation, and configuring Kerberos... If you could elaborate more on that I would be grateful as well. – SoftwareSavant Aug 14 '11 at 14:49
  • 1
    Delegation will be needed only if your MVC application runs on different server then WCF service. It is more administrative feature. You just need to configure servers, AD and sometimes also clients to use Kerberos and delegation. Start with this article: http://technet.microsoft.com/en-us/library/cc780217%28WS.10%29.aspx – Ladislav Mrnka Aug 14 '11 at 16:10