Tip of the Day: MicrosftWord and Impersonation

Here's a useful tip....

If you're using the Microsoft.Office.Interop.Word assembly in your asp.net application, before you begin using the API via code, you must impersonate the current user. Below are two examples on how to impersonate in ASP.NET:

Setting impersonation through configuration settings:

Add the following code highlighted under the system.web element.

Setting impersonation through code:
Right before you being to instantiate Microsoft Word classes such as Application or Document, add the following code in red:
WindowsIdentity iUser = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext wic = iUser.Impersonate();
Microsoft.Office.Interop.Word.Application oWord = new Microsoft.Office.Interop.Word.Application();Microsoft.Office.Interop.Word.Document oWordDoc = new Microsoft.Office.Interop.Word.Document();

The reason why you have to impersonate is because your ASP.NET application runs under the network service account and normally the network service account is not a valid user under Micrsoft Word. Because of this, you must impersonate a trusted(valid) user in order use the Microsoft Word assembly via code.

Enjoy!!

Tip of the Day: WCF & Impersonation

Hey everyone, I want to share with you a tip on how to enable impersonation with your WCF service applications.

Let me begin with my situation first. I have a WCF service application that manages inventory data from a database. The solution includes a service, business and data layers that works togeather in updating and retrieve inventory data. In my service layer, I have service called Invenotry.svc that contains single service operation called UpdateInventory. UpdateInventory accepts two paramters, the product id and the number of products to add or
subtract from inventory. Once I had everything compiled and built, I was ready to test. For testing I'm using the WcfTestClient.exe tool, which provides a simple interface for testing your WCF services. During my testing, my application threw an exception, "The UPDATE permission was denied on the object 'Inventory', database 'GreatValueBookStore', schema 'dbo'.". At first, I was like huh? So I googled the exception and found most people were experencing the same issue, no support for impersonation. Since the WCF application is running on IIS, I know that the network service account runs as the default user, which explains the exception, because the network service account does not have rights to modify data in the my local database. Next I posted a question to an MSDN WCF fourm. Within mintues a user replyed with a series of msdn articles on how to implement security and impersonation with an WCF applications. The articles very helpful and I found what I need to resolve my issue.. So let me show you how to implement impersonation in WCF....


In your service contract, add the following code on top of your service operation:

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
This tells WCF that the service operation must impersonate the caller's identity.

Next in your configuration file add the folllowing code:

Then in your service's endpoint, supply the bindingName attribute with the value "WindowsBinding":

This sets the type of client credential to be used for authentication, in this case, Windows.

Then finally on your client application add the following code right before you make a call to a service operation:

InventoryClient.InventoryClient inventoryClient = new InventoryClient.InventoryClient();
inventoryClient.ClientCredentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Impersonation;

This allows the client to be impersonated when calling the service operation from the client.


That's it!!!!

You can download the sample code below: