Asp.net Web api2 impersonate on webClient call

Question

we have a web api what has is how user account let's say ApplicationPoolUser that used have access to the databases used by the api, etc which work fine.

but i'm trying to send a http get method on files on a remote server(sharepoint 2007) using webClient

here's what im using :

            WindowsImpersonationContext impersonationContext = null;
            Uri uri = new Uri(Path.Combine(this.Document.path , Document.fileNameOriginal));
            Stream stream = null;

// WindowsIdentity.GetCurrent().Name return 'ApplicationPoolUser'
                try
                {
                    WindowsIdentity wi = System.Web.HttpContext.Current.Request.LogonUserIdentity;
                    impersonationContext = WindowsIdentity.Impersonate(wi.Token); 
// WindowsIdentity.GetCurrent().Name return 'CurrentRequestingUser'

                WebClient client = new WebClient() { 
                    UseDefaultCredentials = true,
                    CachePolicy = new System.Net.Cache.RequestCachePolicy(RequestCacheLevel.BypassCache)
                };

                stream = client.OpenRead(uri);
 // OpenRead Authentified on sharepoint server has ApplicationPoolUser
            }
            catch(WebException ex)
            {
                HttpWebResponse webResp = (HttpWebResponse)ex.Response;
                if(webResp.StatusCode == HttpStatusCode.NotFound)
                throw new GeneralException(Common.Enums.ExceptionMessage.NotFound, webResp.StatusDescription);
                else
                {
                    throw ex;
                }
            }

is there a way to force the authentification on behalf of the user without turning asp.net Identity ON ? in the web.config / IIS site.

I dont want the whole code to execute has the impersonated user request just this small part ...

I did try to use httpClient instead by i've found that since httpclient start in a new thread, it will always use the application pool identity.

can i create the Negotiate Call myself and add it to the request ?

thank you.

EDIT : i have tried Removing all AuthenticationManager except Kerberos, and the request still use NTLM for authentication, what am i doing wrong ?

You should not ask a new question inside an edit. – TGlatzer Mar 02 '15 at 07:28 — TGlatzer, Mar 02 '15 at 07:28

score 2 · Accepted Answer · edited May 23 '17 at 11:43

2

There are multiple factors, which can make an impersonation or to be precise a delegation of the user credentials impossible.

1) if you are using asynchronous methods (directly or not) you might experience a problem with flowing the identity. You can check, if that might be an problem with the following call:

 System.Security.SecurityContext.IsWindowsIdentityFlowSuppressed();

This should return false - if not you can use this as a reference: Calling an async WCF Service while being impersonated

2) You have to enable constrained delegation for the executing account. You have a so called Kerberos double hop scenario. You have to allow the Sharepoint user to act as another user or else impersonate() will not succeed as expected.

edited May 23 '17 at 11:43

Community

1
1

answered Feb 27 '15 at 15:10

TGlatzer

5,815
2
25
46

System.Security.SecurityContext.IsWindowsIdentityFlowSuppressed(); return false before and after the impersonation() – Rugdr Feb 27 '15 at 15:24
This is an System wide setting, which might prevent Impersonation, it should be false. But you still need the delegation permission. – TGlatzer Feb 27 '15 at 15:48

Asp.net Web api2 impersonate on webClient call

1 Answers1