Can I create a .net web service that allows anonymous access, but impersonates user rights based on user ID?
I have a web application on an IBM WAS server (Windows).
In the WAS application, users can view files on another server. This function connects to a web service to get a list of files from the network path.
The web service is built with .net and resides on a separate server that is on the same domain as the file server.
The WAS app service request sends the user ID as part of the call.
Is there a way to get the user ID that is passed to the web service and restrict it to only files / folders accessible to them based on Windows security?
From what I know, this is not possible if the WAS application is unable to send a request to the web service as a logged in user.
So my second question is, is it possible to pass Windows user credentials from a WAS application to a web service?
I'm not too familiar with Windows Authentication and impersonation, and I know even less about WAS and how it handles security, so I'm hoping to find out if this is possible and where I can start.
a source to share
Assuming you have Active Directory installed, the only way the WAS server can be sent based on the credentials of the user accessing it is if the DC recognizes the WAS service (IE account that is running your WAS application) for the delegation. We ran into this problem (several) here. We use the AD account to run the IIS application pools, and then the AD account should be able to authenticate users from AD and connect to the SQL server.
The fix for us was registering process names (SPNs) for the user running the IIS application pool. This allows the user account to authenticate users against AD since AD recognizes it as a service. Then you can follow the traditional .NET impersonation rules for passing credentials. Sorry, I can't provide more specific information, but hopefully this at least points you in the right direction.
See: http://technet.microsoft.com/en-us/library/cc773257.aspx
a source to share
Here is a link to understand Anonymous Access and Impersonation with .NET: Anonymous Access and Impersonation
a source to share
No. You can create an identity token, but you need an impersonation token to verify access, and such an impersonation token can only be created by presenting a password or delegation from an account trusted for delegation, which in turn was represented by a password (or sufficient proof for which the original identity has a password, i.e. the AD it refers to).
What you need to do is have a WAS server impersonate the caller and then invoke your service impersonating. The account using WAS must be configured to allow constrained delegation .
a source to share