Wise J and Impersonation

I am attempting to get round an issue where the user of a pc not registered on the AD domain needs to run a Wise J app via a VPN.

In this scenario the browser will ask the user to log in and the Wise J app picks up the user credentials.

However whilst using Application.UserIdentity seems to pick up some of the user credentials it will not allow impersonation of the user.

I have tried using “Impersonate:” true, however this just generates an error in this scenario

“The connection either timed out or was lost System.XmlReader EndRequest(Boolean)”

The resources the App needs to access fall into the Double Hop scenario. eg Report Server (SSRS reports)

NB everything works perfectly if the user is logged onto the domain on a device that is on the domain.

I know I can get round this by creating a logon form and effectively capturing the users domain logon details, which I do not want to do.

Is there a way round this?

Attachment

Impersonation.png

General

Ewan Walker asked May 5, 2021 - 9:27 am
last edited Oct 2, 2021 - 7:24 pm

You must login to post comments

Answers (4)

Hi Ewan,

Wisej offers the User and UserIdentity Properties.

Application.User returns IPrincipal and Application.UserIdentity returns WindowsIdentity class.

Here are a couple of links that might help you:

Application.User Property (wisej.com)

Application.UserIdentity Property (wisej.com)

IPrincipal Interface (System.Security.Principal) | Microsoft Docs

WindowsIdentity Class (System.Security.Principal) | Microsoft Docs

Best regards,
Alaa

Alaa (ITG) answered May 13, 2021 - 5:01 pm
last edited Oct 2, 2021 - 7:25 pm

You must login to post comments

Is it possible to capture the user credentials if the browser requests them so that they can be passed to the IReportServerCredentials interface?

Having explored Bearer Tokens for reporting services.

I can find no documentation
I suspect it only works if you have a Microsoft Identity server

So aside from creating may own alternate log on form I was wondering whether it is possible to exploit what is already there?

Thanks for your help

Ewan Walker answered May 10, 2021 - 1:18 pm

You must login to post comments

The Double Hop issue is resolved if the user comes from a trusted source ie they are logged onto the domain.

Would it be possible to generate the ReportServerCredentials based on the prompted user login from the untrusted source?

Alternately

Would it be possible to user BearerTokens instead?

c# – Sending a bearer token to endpoint, then validate this token – Stack Overflow

Thanks

Ewan

Ewan Walker answered May 6, 2021 - 9:46 am
last edited May 6, 2021 - 10:47 am

- Alaa (ITG)
- May 6, 2021 - 10:04 pm
Hi Ewan, You could definitely use BearerTokens . It can be stored into the Wisej Session. For example you can use Application.Session.Token = token, The Session property is a Dynamic Object so you can pretty much assign anything you want to it. Hope this helps. Best regards, Alaa

You must login to post comments

Hi Ewan,

Wisej uses the WindowsIdentity.Impersonate() method (WindowsIdentity.Impersonate Method (System.Security.Principal) | Microsoft Docs), and there’s no way that you can change the authentication system.

The double hop issue is a known problem, that can only be resolved by the Network Manager, so it’s not a Wisej issue.

Download Wisej.NET datasheet Printable version (pdf)

Ask questions and get help on the Wisej.NET Forum

Explore Wisej.NET online documentation