we have a web frontend written in MVC which uses SSO and Windows Authentication and this frontend connects to a Backend WCF service layer configured to run with a specific AD service account.
we like this approach because the connections to the database server are trusted and we have no passwords in web.config and the WCF service layer is allowed to connect to SQL Server because the service account has proper rights on the DB Server, single end users don't and they should not.
what I am looking for now is a way to make the WCF service able to distinguish which user identity is connecting from the client and validate security rules on the application level (we use Visual Guard security Framework) but at the same time we have still the need to use the current service account when we use EF to connect to SQL.
what I did so far is the following,
when I create the WCF client in the web frontend:
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate())
{
var client = new RPPServiceInterface().GetRWSService();
...
}
from the moment I have introduced this call to Impersonate above, in the code below I can retrieve the client user and not the service account anymore:
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public List<RWSProgram> GetCedentsPrograms(int cedentID, int uwYear)
{
var currentSec = ServiceSecurityContext.Current;
...
}
what I would like to do is us both the client identity to validate security then somehow release that identity or have another way to impersonate back the service account in the service layer to open my SQL connection... Any idea? Am I doing anything wrong or misunderstanding the whole picture?
P.S. I already checked this one but did not help.... WCF service dual impersonation?
Thanks, Davide.
