wcfimpersonationasp.net-mvc-2-validation

Impersonation: call only once or keep calling per cient call MVC2 callng -> WCF


When Impersonating a client to a web service, do I need to call it once, or do I need to call it several times, each times I call the client essentially.

client.ClientCredentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Impersonation;

I call my client several times in the course of my controllers. I only call this once. I can't seem to get past the first page of my website though (this website an MVC2 website) calls my WCF webservice.

A little confused here. If you guys can be of any help I would greatly appreciate it. Thanks.


Solution

  • Impersonation is allowed per proxy (client channel) instance so if you create a new proxy instance (a client) for different controllers / actions you have to configure it for each proxy instance. Once you have created instance you can do multiple calls to the service on that instance and it will correctly impersonate the client. Be aware that you should create a new proxy instance for each MVC action which needs to communicate with WCF service.

    Btw. Are you trying to impersonate an original user (the user accessing your MVC application) or an user account running AppPool hosting the MVC application? If the first case is your scenario you can have problems because impersonation is limited to a single network hop. That means that an user can be impersonated on the server hosting the MVC application (first hop) but if the WCF service will be on an another server (second hop) impersonation will not work there (because of single hop limitation). In such scenarios you need delegation instead of impersonation and delegation requires correctly configured Kerberos.