WCF Interview Questions (Part – 7) – Easy WCF
Skip to content

WCF Interview Questions (Part – 7)

WCF Interview Questions:

  1. What is WCF Service Impersonation and what all are the levels for Impersonation?
  2. What all are the impersonation options?
  3. What is the difference between Impersonation and Delegation?
  4. What is constrained Delegation?
  5. What is protocol transition?
  6. How do you impersonate the original caller for an operation call?
  7. How do you impersonate a specific (fixed) identity?
  8. How do you temporarily impersonate the original caller in an operation call?
  9. What is the difference between declarative and programmatic impersonation?
  10. What is the trusted subsystem model?

 

1. What is WCF Service Impersonation and what all are the levels for Impersonation?

Impersonation is validating if the client is authorized to request service.

Impersonation has 3 levels of settings.

  • Allowed : It automatically impersonates the client whenever Windows authentication is used, but it has no effect with other authentication mechanisms.
  • Not allowed : This indicates the service should not auto Impersonate
  • Required : It ensures windows authentication is used else throw exception

2. What all are the impersonation options?

There are three options for impersonation:

  • Impersonating the original caller declaratively on specific operations. Use this option when you want to impersonate the original caller for the entire duration of a specific operation.
  • Impersonating the original caller declaratively on the entire service. Use this option when you want to impersonate the original caller for the entire duration of all operations in the service.
  • Impersonating the original caller programmatically within an operation. Use this option when you want to impersonate the original caller for a short duration in a service operation.

3. What is the difference between Impersonation and Delegation?

Impersonation flows the original caller’s identity to back-end resources on the same computer. Delegation flows the original caller’s identity to back-end resources on computers other than the computer running the service.

For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller’s account, the service will access resources such as a SQL Server database on the same machine using the original caller’s account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.

4. What is constrained Delegation?

With constrained delegation, you can configure the Microsoft Active Directory service to restrict the services and servers that your WCF service application can access with the impersonated identity. Constrained delegation in Windows Server 2003 requires Kerberos authentication.

5. What is protocol transition?

Protocol transition is a Windows Server 2003 feature that allows you to switch from an alternate, non-Windows authentication mode (such as Forms-based or certificate authentication) to Kerberos authentication. This is useful when your application cannot use Kerberos authentication to authenticate its callers, and when your application needs to use constrained delegation to access downstream network resources

 

6. How do you impersonate the original caller for an operation call?

you should use impersonation only on operations that need it to reduce the potential attack surface.You can impersonate declaratively by applying the OperationBehaviorAttribute attribute on any operation that requires client impersonation, as shown in the following code example:

 

7. How do you impersonate a specific (fixed) identity?

Use the WindowsIdentity class to obtain a Windows token and logon session for a given domain account by supplying a user principal name (UPN). With this approach, you do not need the account’s password.

8. How do you temporarily impersonate the original caller in an operation call?

Programmatic impersonation allows you to impersonate on specific lines of code rather than the entire operation.

You can use programmatic impersonation to temporarily impersonate the original caller in an operation call, as shown in the following example:

9. What is the difference between declarative and programmatic impersonation?

Impersonation is used to restrict or authorize the original caller’s access to a WCF service’s local resources, such as files. Use declarative impersonation to define impersonation at the operation or service level.
Impersonate declaratively by applying the OperationBehaviorAttribute attribute on any operation that requires client impersonation, as shown in the following code example:

Use programmatic impersonation to define finer-grained impersonation based on business logic. Programmatic impersonation is specified in code and applied at run time.
Programmatic impersonation can be performed as shown in the following example:

10.What is the trusted subsystem model?

A trusted subsystem describes an architecture in which an upstream tier is trusted to authenticate and authorize the original caller for downstream components.

For instance, a database server trusts the Web application to authenticate users, and then all calls from the Web application to the database server are made with the Web application’s identity instead of the original caller’s identity. In this model, the web application’s identity is trusted to make calls on behalf of the original caller.

The advantages of the trusted subsystem model include support for efficient connection pooling, no direct data access because only the service account is granted access to the back-end resources, and minimal back-end access control list (ACL) management.
 

© 2015, admin. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *