Menu
I need to get a Windows token from from Claims. The solution is a Claims Aware WCF webservice that uses ADFS 2.0 and runs in IIS ASP.NET 4.0. (The kerberos token is needed towards impersonated database access)
In .NET 3.5 and 4.0 the c2WTS Service is used to get Windows Identity from claims:
WindowsIdentity winId = S4UClient.UpnLogon(upn);
But the documentation for the c2WTS states the following: "...[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4..."
What would be the equivalent of c2WTS in .NET 4.5?
414
Enable the Claims to Windows Token Service feature. Open Microsoft Server Manager, and on the dashboard click Add roles and features. In the Add Roles and Features Wizard, go to the Features page and select Windows Identity Foundation 3.5. Click Next and then Install.
The Claims to Windows Token Service (c2WTS) is a feature of Windows Identity Foundation (WIF). The c2WTS extracts user principal name (UPN) claims from non-Windows security tokens, such as SAML and X. 509 tokens, and generates impersonation-level Windows security tokens.
There is no equivalent. But you can still install WIF to get the C2WTS service.
The Saml security token handler has the MapToWindows feature that return a Windows identity. This is similar to what C2WTS does - but
1) the windows identity can only be used for authorization locally - to impersonate you would need SYSTEM privileges. This is what C2WTS runs under. 2) to delegate the token you need to configure constrained delegation in AD (just like with C2WTS)
76
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
