You are viewing limited content. For full access, please sign in.

Question

Question

ASP.Net Service - Impersonation Issues

SDK
Updated October 14, 2015
asked on October 13, 2015

I am working on a web service that will return matches of images based on windows authentication of the user and what they have access to.  I am using the WebDocView application example from the ACI351 class as an example of how to impersonate a user with a windows service.

Upon using session.Login(repositoryreg), I get the following error:

Could not load file or assembly 'Laserfiche.HttpClient, Version=9.0.0.0, Culture=neutral, PublicKeyToken=3f98b3eaee6c16a6' or one of its dependencies. Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)

 

I verified that the Current User Identity is correct.  The relevant piece of my code is as follows:

 

      try
      {
         var current = System.Security.Principal.WindowsIdentity.GetCurrent();
         WindowsIdentity clientID = (WindowsIdentity)HttpContext.Current.User.Identity;
         using (wic = clientID.Impersonate()) {
            // Log into Repository
            RepositoryRegistration MyRepository = new RepositoryRegistration(servername, reponame);
            Session newsession = new Session();                
            newsession.LogIn(MyRepository);
            MySession = newsession;
         }
      }

      catch (Exception e)
      {
         error = e.Message;
      }

 

If anyone has any ideas on what I am missing here, I'd greatly appreciate it. 

Thanks!

Jonathan

0 0

Replies

replied on October 13, 2015

In order to take a Windows identity on one machine (the web server) and pass it to another machine (the LFS server), you need to have delegation-level impersonation.  To do this, you need to configure Kerberos on the web server.  Doing this for your application will be the same as if you were doing it for Web Access, you can use that product's documentation as your guide.

0 0
replied on October 13, 2015

 

Brian,

Thank you for responding.  I pushed this service to a test server that is configured correctly with Kerberos in order to continue.  Using the 'Kerberos Authentication Tester' (http://blog.michelbarneveld.nl/media/p/33.aspx), I was able to verify that I was authenticating correctly with Kerberos and that 'Negotiate' was being used to authenticate.  I can pull more info out of that if there is anything else that will help.  I also set the application pool to run as 'LocalSystem'.

The latest error message I am getting when running from the server is this:

 

"Open HTTP session failed.|System.ComponentModel.Win32Exception (0x80004005): Eith" +
    "er a required impersonation level was not provided, or the provided impersonatio" +
    "n level is invalid|Laserfiche.HttpClient

 

Looking at the WindowsIdentity, it appears that my ImpersonationLevel is still Identification.  Does it need to be 'Delegate' in order to make this work?  If so, I am just not sure what more I need to do to make that happen.

Thanks again for your help!

Jonathan

 

0 0
replied on October 13, 2015

My experience is that the ImpersonationLevel value that you can see from .Net never says Delegation, so I wouldn't take that as a negative sign.  If that tool reports that it's doing Kerberos and ASP.Net is getting the identity, then it does seem like everything is configured to correctly identify clients to the web server.  The most likely cause for the delegation to LFS to fail is that the web server hasn't been marked as trusted for delegation in AD.

There may be more information in the event log on the LFS machine.

0 0
replied on October 14, 2015

Ok, so I took a step back and verified that the web application can correctly get this all to work and impersonate to connect to LaserFiche.  What is getting me all mixed up is having the process run within a WFC web service.  There has to be something in the bindings/service settings in web.config that is causing this to fail for that situation.  I'll keep on struggling in hopes something makes this work.

 

Thanks,

Jonathan

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...