Integrated Windows Authentication and ImpersonateUser with les-services

Hi,

We want to implement the following scenario using livelink 9.7.1 les-services:

We have a .NET webapplication that uses windows authentication (IWA) to authenticate the end users. The .NET application needs to call the livelink webservices using the end user's credentials. Also for livelink we're using directory services and IWA.

We don't want to pass clear text passwords over the wire (including the one of an admin account), so we want to use IWA between the .NET app and the les-services. We've managed to get this working. The system account that runs the .NET app is passed to livelink, and this works fine.

Now we want to use the ImpersonateUser method to execute the webservices with the credentials of the end user instead of using the .NET system account. When debugging the .NET app we notice that the impersonate works (it returns a token). When we try to call a method on the DocumentManagementServer using this token, we get an error: "Could not login with cookie".

Any suggestions on how to get passed this error and get this working?

Is it possible to use ImpersonateUser when using IWA on the les-services?
If not, is there another way to achieve are goal: call a LL webservice from a .NET webapp using credentials of the enduser of the webapp, without sending a hardcoded cleartext admin username/password to authenticate.

Here's a piece of code we used for testing:

public Byte[] GetDocumentByID(int id)
{using (var authenticationSrvc = new LLAuthenticationService.AuthenticationClient())
{
var impersonatedUser = authenticationSrvc.ImpersonateUser(new LLAuthenticationService.OTAuthentication { AuthenticationToken = "" }, "GJI760");
var documentAuthentication = new OTAuthentication { AuthenticationToken = impersonatedUser};
using (var documentSrvc = new DocumentManagementClient())
{
return documentSrvc.GetVersionContents(documentAuthentication, id, 0).Contents;

}
}
}

Find more posts tagged with

Comments

Appu_Nair

do you in your test have more than one livelink server who could issue the cookie.In many places there are multiple livelink FE's going thru a load balancer.if the OTHOME variable is different then by default every webrequest may get a different cookie(barring sticky).And is the impersonation user a user with SA privs in livelink obviously the impersonate call would not have worked without that so that may be a moot point

Andy Mans

Hi Appu,

Thanks for the reply. We only have one livelink server . The OTHOME variable point to C:\OpenText\ContentServer\ which is the installation directory of our livelink instance.

The user who performs the impersonation is a system admin user, so that can't be the problem.

Norbert_Bazin

Quoted Andy Mans (mansa@delaware.be) on 2011/10/12 13:17:

Hi Appu,

Thanks for the reply. We only have one livelink server . The OTHOME variable point to C:\OpenText\ContentServer\ which is the installation directory of our livelink instance.

The user who performs the impersonation is a system admin user, so that can't be the problem.

Do you have any entries at at the logfiles at LES side?
Any entries at the IIS web server that makes a check if the user is allowed to acess the server?

Regards

Norbert

Andy Mans

Hi Norbert,

In the webservices log file I see the following messages:

2011-10-11 18:02:27,4929 TRACE [6] BasicServiceContext(): fServer = localhost, fServerPort = 2099, fServerEncoding = DEFAULT

2011-10-11 18:02:27,4929 TRACE [6] Service()

2011-10-11 18:02:27,4939 TRACE [6] IServiceContext = BasicServiceContext[fServer=localhost,fServerPort=2099,fServerEncoding=DEFAULT]

2011-10-11 18:02:27,4939 TRACE [6] IRequestContext = BasicRequestContext[fClientIPAddress=172.30.117.28,fServiceToken=,]

2011-10-11 18:02:27,4948 TRACE [6] IRequestContext.ServiceToken =

2011-10-11 18:02:27,4978 TRACE [6] WindowsIdentify.Name=BELGRID\AGJI760 -> IWA user running .NET program (AGJI760)

2011-10-11 18:02:27,4978 TRACE [6] PrimaryIdentify.Name=BELGRID\AGJI760

2011-10-11 18:02:27,4987 TRACE [6] begin: Authentication.ImpersonateUser(GJI760) -> Impersonate call for user GJI760

2011-10-11 18:02:27,6355 TRACE [6] end: Authentication.ImpersonateUser() ->Impersonation ok

2011-10-11 18:02:27,6355 TRACE [6] IRequestContext.ServiceToken =

2011-10-11 18:02:30,7303 TRACE [6] BasicServiceContext(): fServer = localhost, fServerPort = 2099, fServerEncoding = DEFAULT

2011-10-11 18:02:30,7303 TRACE [6] Service()

2011-10-11 18:02:30,7313 TRACE [6] IServiceContext = BasicServiceContext[fServer=localhost,fServerPort=2099,fServerEncoding=DEFAULT]

2011-10-11 18:02:30,7313 TRACE [6] IRequestContext = BasicRequestContext[fClientIPAddress=172.30.117.28,fServiceToken=,]

2011-10-11 18:02:30,7323 TRACE [6] IRequestContext.ServiceToken = 9BoxfaZcftU8PW1%2Bbz7cdJTSHMU8EJTR -> Token returned by Impersonate user method

2011-10-11 18:02:30,7332 TRACE [6] WindowsIdentify.Name=BELGRID\AGJI760

2011-10-11 18:02:30,7332 TRACE [6] PrimaryIdentify.Name=BELGRID\AGJI760

2011-10-11 18:02:30,7332 TRACE [6] begin: DocumentManagement.GetVersionContents(590990,0) -> Get document call

2011-10-11 18:02:30,7694 TRACE [6] ThrowLivelinkException( -2147482643,Could not login with cookie,,,urn:DocMan.service.livelink.opentext.com)

2011-10-11 18:02:30,7694 WARN [6] Livelink error occurred

2011-10-11 18:02:30,7694 WARN [6] Status: -2147482643

2011-10-11 18:02:30,7694 WARN [6] Error Code: Could not login with cookie -> Error message

2011-10-11 18:02:30,7694 WARN [6] Error Message: Could not login with cookie

2011-10-11 18:02:30,7694 WARN [6] ApiError:

2011-10-11 18:02:30,7704 TRACE [6] IRequestContext.ServiceToken =

sgrasley

Hi, Andy.

If you're using IWA for the les-services application, then I think you'll need to impersonate the user on the client side, then make the web service call (rather than using Authentication.ImpersonateUser()).

Do you have any Content Server thread logs? They may have useful information. Be sure to set the following in opentext.ini:

[general]
Debug=2

[options]
WantLAPILogs=TRUE

Thanks,

Scott

Andy Mans

Hi Scott,

This is the output I get in the builder when performing the call with the impersonated users token:

Wed Oct 12 18:29:06 2011

Arguments = 'A<1,?,''ID''=590990,''versionNum''=0>'

FilePath = '?'

ServiceMethod = 'GetVersionContents'

ServiceName = 'DocumentManagement'

_ApiName = 'InvokeService'

_ClientVersion = '9.7.1'

_ConnectionName = ''

_Cookie = 'HFc3HscYLOZSDNm6CPbjyAT1ovW6uxFf' --> Token returned by impersonateuser call

_DomainName = ''

_ImpersonateUserDomain = ''

_LLENVIRON_ASSOC = 'A<1,?,''REMOTE_ADDR''=''172.30.117.28'',''REMOTE_USER''=''BELGRID\\HCF757''>'

_Request = 'llweb'

_UserName = ''

_UserPassword = 'XXXXXXXXXX'

=======================================

Executing API: #320022a1.InvokeService

inArgs: A<1,?>

------------------------------------------

_LLENVIRON_ASSOC contains:

REMOTE_ADDR=172.30.117.28

REMOTE_USER=BELGRID\HCF757 --> This is the IWA user, not the impersonated user

End _LLENVIRON_ASSOC

------------------------------------------

inArgs: A<1,?>

outArgs: A<1,?,'_apiError'='','_errMsg'='','_Status'=-2147482643,'_StatusMessage'='Could not login with cookie'>

status: Could not login with cookie (-2147482643)

msecs: 2120

=======================================

Wed Oct 12 18:29:09 2011 - 584321Func=lapi.InvokeServiceTiming:2.126 2.126 2.127

When I leave the token blank and thereby performing the same request with the IWA user, it works fine.

Could it be that when you are using IWA you must leave the token field blank for it to authenticate properly?

I've tried disabling IWA on the web services, and restoring the original Web.config and running the exact same request: First authenticate with Admin user and password; impersonateuser; perform a request on the DocumentManagement server using the token I got from the impersonateuser method. This works as expected.

Is there a way to get impersonation to work together with IWA?

sgrasley

Hi, Andy.

I think the mismatch between the user form whom the cookie was generated and the user issuing the request is the problem. As far as I know you have to use either IWA OR the Content Server cookie for authentication; you can't use both for the same application (i.e. CWS).

If your client application impersonated the user you want at the Windows level, then made the request to CWS, that should work.

Thanks,

Scott

Guy_Pomerleau

Are you running everything on the same server, your .net application, the LES-services and livelink?

Andy Mans

Quoted sgrasley@opentext.com on 11/02/2011 08:08 AM:

Hi, Andy.

If your client application impersonated the user you want at the Windows level, then made the request to CWS, that should work.

Thanks,

Scott

Hi Scott,

Your are right. It isn't possible to use the IWA and the content server cookie at the same time. This makes it impossible to use impersonation in a IWA environment.

Using impersonation at client application level isn't possible, since Kerberos is not allow in our customers organization.

I've created a patch myself to have a work around. Basically, what is does is: when a CS cookie is present in the request, I remove the IWA cookie. I forwarded the patch to OT support, but unfortuately they can't validate it.

Andy Mans

Quoted guy.pomerleau@asc-csa.gc.ca on 11/02/2011 08:10 AM:

Are you running everything on the same server, your .net application, the LES-services and livelink?

Hi Guy,

Livelink and the LES services will run on the same server, but the .NET application will run on a different server.

Guy_Pomerleau

You are in trouble. You are right since you can't use Kerberos and you are on separate machine, you can't do IWA in the case since NTLM authentication can't do multiple hop. any possibility to put the web apps on the same server, this way you can use NTLM as authentication.

Quoted mansa@delaware.be on 11/07/2011 05:54 PM:

Quoted guy.pomerleau@asc-csa.gc.ca on 11/02/2011 08:10 AM:

Are you running everything on the same server, your .net application, the LES-services and livelink?

Hi Guy,

Livelink and the LES services will run on the same server, but the .NET application will run on a different server.