How to impersonate or delegate a client in WCF

  • Article

 

In order to impersonate a client in WCF when WCF service is hosted on IIS6 or above version, we need to configure properly from WCF service, WCF client and AD perspective.

WCF Service perspective:

1. Enable transfer security and, the client credential type must be windows credential. We can configure it programmatically or administratively. Below is an example for configuring clientCredentialType as windows administratively.

For example:
<security mode="Message">

         <message clientCredentialType="Windows" ……/>

</security>

2. Apply Impersonate property of operation behavior as ImpersonationOption.Required programmatically.

For example:

[operationbehavior(Impersonation=Impersonation.Required)]
String ImpersonatedOP()

{

          ……//Impersonate client to do some work, for example, connect to a DB Server.

}

      3. Configuration for servicePrincipalName or userPrincipalName programmatically or administratively

a. If WCF service is running under a built-in machine account (for example: Network Service), we should configure servicePrincipalName formatted as follows:

   < identity >< servicePrincipalName value="host/<FQDN>"></ identity >

For example:
< identity ><servicePrincipalName value="host/myserver.mydc.com>"></ identity >

       b. If WCF Service is running under a domain account, we should configure userPrincipalName formatted as follows:

<identity><userPrincipalName value="account@domain" /> </identity>

For example:

<identity><userPrincipalName value="testaccount@mydc" /> </identity>

NOTE: we can also configure it programmatically

WCF Client perspective:

1. Apply AllowedImpersonationLevel to Impersonate for the client endpoint behavior. And if the impersonated client credential needs to access resources across current machine, AllowImpersonateionLevel must be set as Delegate as below.
For example:

Impersonation scenario:

<behaviors>

   <endpointBehaviors>

         <behavior name="NewBehavior">

           <clientCredentials>

             <windows allowedImpersonationLevel=" Impersonation” />

           </clientCredentials>

        </behavior>

       </endpointBehaviors>

     </behaviors>

             Delegation scenario:

     <behaviors>

   <endpointBehaviors>

         <behavior name="NewBehavior">

           <clientCredentials>

             <windows allowedImpersonationLevel=" Delegation” />

           </clientCredentials>

        </behavior>

       </endpointBehaviors>

      </behaviors>

DC perspective (only required for Delegation scenario)

For the scenario that the client credential needs to be delegated, we must enable the WCF host or the identity under which WCF service is running delegation.

1. If WCF server is running under a build-in machine account (for example: Network Service) we must set “trust this computer for delegation to …” as below screenshot shows.

 

DC1.JPG

2. If WCF service is running under a domain account, we must set “trust this user for delegation to…” as below screenshot shows

DC2.JPG

References
<userPrincipalName>
https://msdn.microsoft.com/en-us/library/aa347702.aspx

<servicePrincipalName>
https://msdn.microsoft.com/en-us/library/aa347698.aspx

Delegation and Impersonation with WCF
https://msdn.microsoft.com/en-us/library/ms730088.aspx

Best Regards,

 

Winston He