Hello,

I've been working on a WCF-based client/server prototype in C# for a while, and I'm running into a few issues. First, some background: My service will be using transportWithMessageCredential security, with certificate security at the transport level. The service needs to support both windows and certificate credentials (depending on deployment) for the message credential. The service also needs to perform authorization checking based on a windows group. In an Active Directory domain setting, with a client credential type of 'Windows', everything seems to work, and I can pull the windows identity out of the OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name (and PrimaryIdentity.Name, for that matter). I can then use this to check group membership.

Unfortunately, with certificates, this is not as easy. Obviously, when using a certificate the WindowsIdentity.Name is not populated - we don't have a windows identity to associate with the client if they're using a certificate. I was hoping to use IIS certificate-to-account mapping (1-to-1) to remedy this... however, even when certificate mapping is set up for my client certificate, the WindowsIdentity is not populated.

So I tried a number of (possibly silly) things to try to get IIS to place the windows credentials into the security context on the server side. First, I tried setting the message credential to 'UserName' or 'Windows', hoping that IIS would map the cert to a windows account in order to authenticate to the service, but that just generated exceptions (standard unsecured connection fault that happens whenever your app.config and web.config have mismatching message credential types).

My question is, if I do certificate to account mapping in IIS, and have my service hosted in IIS, how do I get access to the mapped account information from my service? So far I've spent a week searching MSDN and other web sites, and I've come across a few unresolved questions similar to mine, but no real answers. Any help would be greatly appreciated.

Thanks,

Mim

Hi,

I tested your scenario and got the same result, as I mentionedtransportWithMessageCredential mode only uses the message security credentials. The transport (HTTPS in this case) is locked to anonymous authentication, by anonymous authentication you won't be able to get windowsIdentity on server side from the

OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name

Therefore transportWithMessageCredential mode won't fit your scenario here as the transport level clientCredentialType is locked. I don't think you can chage it to windows or certificate.

Thanks
Binze

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Hi,

This is due to transportWithMessageCredential mode only uses the message security credentials. The transport (HTTPS in this case) is locked to anonymous authentication, Therefore if you are using messageClientCredential with certificate, the you won't be able to get windows credential, to get window credential the only way is sent your transport or message level client credential to "windows".

See this blog for reference:
http://blogs.msdn.com/drnick/archive/2006/10/10/Which-Client-Credential-Does-TransportWithMessageCredential-Use_3F00_.aspx

Thanks
Binze

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Hello, and thank you for your reply. Unfortunately, the blog you referenced deals with a different problem than the one I'm trying to solve. Perhaps I should be more specific. My config files have sections that essentially look like this:


I have then mapped the client certificate to a windows account in IIS. What I'm trying to do now is programmatically retrieve the windows credentials for the mapped account from the security context object on the server side. All I seem to be able to get, however, is the certificate credentials. I'm not entirely convinced that its possible, but it seems reasonable to think that if IIS is doing certificate to account mapping, I should be able to retrieve the windows account information that the certificate is mapped to. Thanks, mim

Hi,

I tested your scenario and got the same result, as I mentionedtransportWithMessageCredential mode only uses the message security credentials. The transport (HTTPS in this case) is locked to anonymous authentication, by anonymous authentication you won't be able to get windowsIdentity on server side from the

OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name

Therefore transportWithMessageCredential mode won't fit your scenario here as the transport level clientCredentialType is locked. I don't think you can chage it to windows or certificate.

Thanks
Binze

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.