Authenticating users on the web service
I would like to call the FIM web service from an asp.net web application where the user is authenticated through a SSO service. The application has identity information about the user, but not the password (and therefore cannot construct a NetworkCredential object to pass to the service). I have found an article that explains a possible solution to this problem: Authenticating users with Supporting Tokens in WCF . If I understood correctly, however, this requires some support from the service. Is it possible to use that approach with FIM? Thanks, PaoloPaolo Tedesco - http://cern.ch/idm
January 13th, 2010 6:50pm

can't ur asp.net app impersonate the user and talk to FIMService?
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2010 12:12pm

I wanted to check if it's possible to avoid impersonation and the extra configuration required to solve the double-hop problem...Paolo Tedesco - http://cern.ch/idm
January 14th, 2010 7:02pm

impersonation seems proven to work. FIM Portal and CM Portal are impersonating at different stagesThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2010 3:04am

Since impersonation seems the way to go, now I'm trying to have my application impersonate the user: WindowsIdentity windowsIdentity = HttpContext.Current.User.Identity as WindowsIdentity; WindowsImpersonationContext context = windowsIdentity.Impersonate(); // call web service... The asp.net application is running with an account that is trusted for delegation, and can present delegate credentials on the machine where the FIM service is running (to avoid the double-hop problem). However, I don't manage to make impersonation work. If I configure the enumeration endpoint like this, for example: <binding name="ServiceMultipleTokenBinding_Enumeration" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="165536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false" contextProtectionLevel="Sign"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/> <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="false"/> </security> </binding> I get an error saying "The token provider cannot get tokens for target <machine name> ". Any idea about what I'm doing wrong? Paolo Tedesco - http://cern.ch/idm
January 18th, 2010 3:09pm

maybe this one would help? http://www.vistax64.com/indigo/20438-negotiatecleintcredentials-false-wshttpbinding-message-security-client-credential-type-windows.htmlThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 5:04am

Hi Anthony,thanks for the link, but modifying the service configuration as indicated in the post does not seem to help, I'm still getting the same error.I also tried to ask for help on the WCF forum, in this thread, and I got a reply saying that the server explicitly disables the impersonation mechanism.Is this the case for FIM?Thanks,PaoloPaolo Tedesco - http://cern.ch/idm
January 19th, 2010 2:29pm

i think you should try that modification on ur WS client's config file. not the service config file? once again, i am not wcf expert
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 7:57pm

I thought that was service configuration... anyway I tried that on the client but nothing changed.Thanks,PaoloPaolo Tedesco - http://cern.ch/idm
January 20th, 2010 11:31am

can we try to split the problem into two. Let's first use ur WS client and see if impersonation works? And then try to add delegation to the picture? i am trying to see what happen if you remove delegation and have a simple app which impersonate and then perform a WS callThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2010 5:55pm

Hi Anthony,thanks for the link, but modifying the service configuration as indicated in the post does not seem to help, I'm still getting the same error.I also tried to ask for help on the WCF forum, in this thread, and I got a reply saying that the server explicitly disables the impersonation mechanism.Is this the case for FIM?Thanks,Paolo Paolo Tedesco - http://cern.ch/idm This looks like a kerberos issue. Almost anytime I see error messages about token providers it's network infrastructure. Please confirm the SPNs are in place (see the install guide) and that kerberos delegation is working.
January 27th, 2010 9:35pm

The description for Event ID 3 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: mscorlib: System.ServiceModel.Security.SecurityNegotiationException: The token provider cannot get tokens for target 'http://fimserver:5725/ResourceManagementService/Enumeration'. ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) --- End of inner exception stack trace --- at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocol.GetToken(SecurityTokenProvider provider, EndpointAddress target, TimeSpan timeout) --- End of inner exception stack trace --- btw, i am getting this because i added my user to "Deny access to this computer from the network" of the FIMServer but again, that's only one of the possible reasonsThe FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2010 1:44am

Hello, I have a similar issue I’m using the FIM 2010 RC1 web service client provided by IDA Guys (http://blogs.technet.com/idaguys/) to connect a web application with FIM. The application is running ok, creates, reads and updates information into FIM, but this application must run “always” with Administrator account, if I run the web application under different credentials (impersonating my web site. These users have the same permissions of Administrator Account) the FIM web service returns a fault exception with the message Access to the requested resource(s) is denied. If all operations are submitted by the administrator account I can’t to track each operation with the appropriate user. So, the questions are. Is possible to impersonate my web application and configure wcf services to connect with FIM with different credentials? In that case, somebody knows if I must change the endpoint configuration on the client or I need to set some MPR to solve this? If I must run always under Administrator account to connect with FIM Web Service, is not possible modifying the “creator” field of the request with the appropriate user ID, instead of Administrator Account ID. I think that this scenario is very common, but I didn’t find information about this.
April 6th, 2010 11:24pm

>>Is possible to impersonate my web application and configure wcf services to connect with FIM with different credentials? the answer is definitely YES. FIMPortal is just a WS impersonating the user to make a WS call to FIMService >> If I must run always under Administrator account to connect with FIM Web Service, is not possible modifying the “creator” field of the request with the appropriate user ID, instead of Administrator Account ID. That's not possible. Allowing that is a big security risk... >> These users have the same permissions of Administrator Account) the FIM web service returns a fault exception with the message Access to the requested resource (s) is denied. Can the user perform the same operation through FIMPortal? If yes, then i believe u are running into some Kerb issues (which i am not good at) The FIM Password Reset Blog http://blogs.technet.com/aho/
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2010 12:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics