In order to impersonate a client in WCF when WCF service is hosted on IIS6 or above version, we need to configure properly from WCF service, WCF client and AD perspective.
WCF Service perspective:
1. Enable transfer security and, the client credential type must be windows credential. We can configure it programmatically or administratively. Below is an example for configuring clientCredentialType as windows administratively.
<message clientCredentialType=“Windows“ ……/>
2. Apply Impersonate property of operation behavior as ImpersonationOption.Required programmatically.
……//Impersonate client to do some work, for example, connect to a DB Server.
3. Configuration for servicePrincipalName or userPrincipalName programmatically or administratively
a. If WCF service is running under a built-in machine account (for example: Network Service), we should configure servicePrincipalName formatted as follows:
< identity >< servicePrincipalName value=”host/<FQDN>”></ identity >
< identity ><servicePrincipalName value=”host/myserver.mydc.com>”></ identity >
b. If WCF Service is running under a domain account, we should configure userPrincipalName formatted as follows:
<identity><userPrincipalName value=”account@domain” /> </identity>
<identity><userPrincipalName value=”testaccount@mydc” /> </identity>
NOTE: we can also configure it programmatically
WCF Client perspective:
1. Apply AllowedImpersonationLevel to Impersonate for the client endpoint behavior. And if the impersonated client credential needs to access resources across current machine, AllowImpersonateionLevel must be set as Delegate as below.
<windows allowedImpersonationLevel=“ Impersonation” />
<windows allowedImpersonationLevel=“ Delegation” />
DC perspective (only required for Delegation scenario)
For the scenario that the client credential needs to be delegated, we must enable the WCF host or the identity under which WCF service is running delegation.
1. If WCF server is running under a build-in machine account (for example: Network Service) we must set “trust this computer for delegation to …” as below screenshot shows.
2. If WCF service is running under a domain account, we must set “trust this user for delegation to…” as below screenshot shows
Delegation and Impersonation with WCF