0

I have an AngularJS client which makes requests to a server which then forwards them to a different server (a reverse proxy type thing). Both these servers use .Net WCF services and Windows Authentication. My problem is that the request must remain authenticated by the original user even when it reaches the second level.

I cannot use Impersonation for this (some firm policy), and either way, from what I know, impersonation needs some user configurations in AD if it is used with Windows Authentication, which I cannot do.

Any help is appreciated.

Vladimir Moldovan
  • 100
  • 2
  • 10
  • Impersonation means adding `[OperationBehavior(Impersonation = ImpersonationOption.Required)]` to a method. Why can't you use it? Why do you *assume* you need to do anything in AD? – Panagiotis Kanavos Jul 23 '18 at 11:20
  • Perhaps you are confusing impersonation with [Delegation](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/delegation-and-impersonation-with-wcf#delegation). That's a feature of Kerberos. That's what uses the proper *tokens* that are transported in the authentication headers to delegate calls from one service to another. You *can't* use the headers of one call to spoof another for obvious reasons. You can't do that in any security scheme that uses tokens. Kerberos should already be configured in an AD domain though – Panagiotis Kanavos Jul 23 '18 at 11:23
  • I might be wrong about Impersonation, but I didn't do much research on it because I'm not allowed to use it, due to company policy (for some reason). That's why i was asking for an alternative – Vladimir Moldovan Jul 23 '18 at 11:28
  • You *are* asking to impersonate a user though. What is the *actual* policy and what exactly is *some reason*? What policy are you talking about? A Group Policy that prevents the *service* account from using `Impersonate.Required`? Or some written rule that says "don't use the user's password"? – Panagiotis Kanavos Jul 23 '18 at 11:34
  • The alternative to impersonation is delegation, which means configuring Kerberos. – Panagiotis Kanavos Jul 23 '18 at 11:35
  • I don't know what the reason is, I was specifically told that we cannot use impersonation. That is all. I tried using it just to see if I could quickly get it to work and continue from there, but I kept getting a 401 whatever I did. Then I read this https://stackoverflow.com/a/11954781/6018207 and assumed it needs some kerberos config either way. – Vladimir Moldovan Jul 23 '18 at 11:45

0 Answers0