Implementing Windows identity impersonation with Claims to Windows Token Service (c2WTS)

The WIF runtime provides a feature called the Claims to Windows Token Service (c2WTS) that allows the RP application to impersonate a Windows user by extracting the User Principal Name (UPN) claim from open security token standards such as SAML. This is often needed in SSO scenarios where a service needs to be accessed on an external computer. The c2WTS is installed as a Windows service and is invoked by the WIF runtime using Net Named Pipes (IPC) .

Note

Note that if the RP is running on a local system account, then there is no requirement for it to use the c2WTS. This recipe discusses a solution that is very typical of a claims-based Web Farm scenario where impersonation is often required to access databases and other services.

The c2WTS can be configured with the token handler using the Microsoft.IdentityModel configuration section or on-demand by calling the UpnLogon (Microsoft.IdentityModel.WindowsTokenService) method. In this recipe, we will learn about the steps to configure the c2WTS and see how it can be used to implement impersonation and provide security for static content.

Getting ready

The c2WTS service must be configured for the list of allowed callers. Open the c2wtshost.exe.config file located under the %ProgramFiles%Windows Identity Foundationv3.5 folder and uncomment the<allowedCallers> section content, as shown in the following screenshot:

Getting ready

Note

Note that you must open this file in admin mode in order to be able to edit it. Also, you would need the UPN of an additional valid user from the Active Directory (AD) that you would want to impersonate in this exercise.

How to do it...

Follow these steps:

  1. Start the Claims to Windows Token Service from the Services console:
    How to do it...
  2. Open the IdentityManagement solution and add reference to the System.DirectoryServices.AccountManagement assembly in the WebSTS project.
  3. Open the Default.aspx.cs file and include the following code in the Button1_Click event handler to add a UPN claim.
    try
{
claims.Add(WSIdentityConstants.ClaimTypes.Upn, "[email protected]");
}
catch (PrincipalServerDownException)
{
//Do not add this claim if you are disconnected from AD
}

    Notice that the PrincipalServerDownException object is exposed by the System.DirectoryServices.AccountManagement assembly and the exception is thrown if you are not connected to the AD.

  4. Open the Default.aspx page in the WebRP project and include a couple of Label controls inside the<form> tag to display the Current and Impersonate user:
    <body>
<form id="form1" runat="server">
<div style="padding-left:80%">
Welcome
<asp:Label ID="lblLoginMessage" runat="server"></asp:Label>! You are Impersonating
<asp:Label ID="lblImpersonationMessage" runat="server"></asp:Label>
</div>
</form>
</body>
  5. Open the Default.aspx.cs file in the WebRP project and write the following code in the CreateChildControls method (inside the foreach loop):
    if (item.Key == WSIdentityConstants.ClaimTypes.Upn)
{
try
{
var windowsIdentity = S4UClient.UpnLogon(item.Value);
using (WindowsImpersonationContext context = windowsIdentity.Impersonate())
{
lblImpersonationMessage.Text = WindowsIdentity.GetCurrent().Name;
context.Undo();
}
lblLoginMessage.Text = WindowsIdentity.GetCurrent().Name;
}
catch (SecurityAccessDeniedException)
{
lblLoginMessage.Text = "Access Denied";
lblImpersonationMessage.Text = "Impersonation Failed";
}
}

    The preceding code checks if the claims retrieved from the token have a claim of type UPN. It then generates an impersonation context.

  6. Compile the solution and run the WebSTS project. On clicking on the Create Token button, you will be redirected to the Default page of the WebRP application and the Current and Impersonated users will be displayed on the page, as shown in the following screenshot:
    How to do it...

Note

You must be connected to the AD for this solution to work.

How it works...

The WIF runtime invokes the c2WTS on the UpnLogon method call using IPC. The UpnLogon method returns a WindowsIdentity instance for the UPN claim value and then the Impersonate method with the WindowsIdentity instance is used to create an impersonation context.

The Undo method of the WindowsImpersonationContext class ends the impersonation and sets the context back to the current Windows identity (as evident from the WindowsIdentity.GetCurrent method call).

There's more...

For an on-demand impersonation, similar results can be achieved by creating a WindowsIdentity object using the UPN value, however, the c2WTS provides a more robust and generic implementation with the mapToWindows configuration attribute and also supports the rehydrating of the Windows identity from the UPN in a cookie-mode secure conversation.

Static content security

Static content such as the .htm files are not protected by the Federation Authentication Module. The c2WTS can be invoked to map the claims security token to a Windows token and prevent unauthorized access to the entire application including static content. The following configuration changes are required to be made to the security token handler configuration under the Microsoft.IdentityModel section: 

<securityTokenHandlers>
<add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
</add>
</securityTokenHandlers>

Certificate logon

The S4UClient class (Microsoft.IdentityModel.WindowsTokenService) also exposes a CertificateLogon method, in addition to the UpnLogon method, that can be used to create an impersonating WindowsIdentity object from an X.509 certificate.

See also

The complete source code for this recipe can be found in the Chapter 3Recipe 5 folder.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.82.217