I am having a hard time to get Runtime Impersonation to work.
Scenario:
- Anonymous access is disabled in all servers, and windows auth is enabled
- Client calls Web Api 1
- Web Api 1 may call Web Api 2, or the oData Service
- Call from Web Api 1 to Web Api 2 needs to be impersonated with the Client Credentials
- Calls from Web Api 1 to oData Service must not be impersonated
- Web Api 1 calls both the service using Web Request
- We have Kerberos delegation configured properly
What Works (Kinda):
If I turn on impersonation in Web Api 1 using the Web.config
<authentication mode="Windows"/>
<identity impersonate="true"/>
- All calls are getting impersonated. Web Api 1 --> Web Api 2, and Web Api 1 --> oData Service
This is not what we want. We want the oData Service to be accessible only via the Application Pool account. Hence we don't want to impersonate all outgoing calls from Web Api 1.
Programmatic Impersonation
We tried to impersonate only calls going from Web Api 1 to Web Api 2 using the following code
Disable Impersonation in Web.config
<authentication mode="Windows"/>
<identity impersonate="false"/>
Impersonate calls from Web Api 1 to Web Api 2.
// Impersonate the currently authenticated User
using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate()) {
var request = (HttpWebRequest)HttpWebRequest.Create(uri);
...
...
request.Credentials = CredentialCache.DefaultCredentials;
response = (HttpWebResponse)request.GetResponse();
};
Results:
- Calls From Web Api 1 to oData are not impersonated (As expected)
- Calls from Web Api 1 to Web api 2 are not impersonated either. This is the problem.
Question:
- Is this how runtime impersonation should be implemented in Web Services?
- What are we doing wrong?
Any pointers would be helpful.