Monday, November 24, 2008

Impersonation without Windows Authentication

How to Impersonate the Original Caller without Windows Authentication

When using non-windows authentication like Certificate Authentication or username authentication, if you need to impersonate the original caller (if it has windows account) or a service account you have following 2 options

1. Using the S4U Kerberos extensions - For this you must grant your process account the "Act as part of the operating system" user right.
2. Using the LogonUser windows API - this needs to have access to the user credentials (username and password) - which increases the security risk of maintaining the user credentials in WCF Service.

Note: S4U Kerberos extensions places your process within the trusted computing base (TCB) of the Web server, which makes your Web server process very highly privileged. Where possible, you should avoid this approach because an attacker who manages to inject code and compromise your Web application will have unrestricted capabilities on the local computer.

No comments:

Post a Comment