Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

c2WTS (Claims to windows token service) in .net 4.5

I need to get a Windows token from from Claims. The solution is a Claims Aware WCF webservice that uses ADFS 2.0 and runs in IIS ASP.NET 4.0. (The kerberos token is needed towards impersonated database access)

In .NET 3.5 and 4.0 the c2WTS Service is used to get Windows Identity from claims:

WindowsIdentity winId = S4UClient.UpnLogon(upn);

But the documentation for the c2WTS states the following: "...[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4..."

What would be the equivalent of c2WTS in .NET 4.5?

like image 414
HakonIngvaldsen Avatar asked Feb 11 '13 13:02

HakonIngvaldsen


People also ask

How do I install claims in Windows token service?

Enable the Claims to Windows Token Service feature. Open Microsoft Server Manager, and on the dashboard click Add roles and features. In the Add Roles and Features Wizard, go to the Features page and select Windows Identity Foundation 3.5. Click Next and then Install.

What is claims to Windows token service?

The Claims to Windows Token Service (c2WTS) is a feature of Windows Identity Foundation (WIF). The c2WTS extracts user principal name (UPN) claims from non-Windows security tokens, such as SAML and X. 509 tokens, and generates impersonation-level Windows security tokens.


1 Answers

There is no equivalent. But you can still install WIF to get the C2WTS service.

The Saml security token handler has the MapToWindows feature that return a Windows identity. This is similar to what C2WTS does - but

1) the windows identity can only be used for authorization locally - to impersonate you would need SYSTEM privileges. This is what C2WTS runs under. 2) to delegate the token you need to configure constrained delegation in AD (just like with C2WTS)

like image 76
leastprivilege Avatar answered Sep 19 '22 19:09

leastprivilege