How to impersonate or delegate a client in WCF


 


In order to impersonate a client in WCF when WCF service is hosted on IIS6 or above version, we need to configure properly from WCF service, WCF client and AD perspective.


WCF Service perspective:


1.       Enable transfer security and, the client credential type must be windows credential. We can configure it programmatically or administratively. Below is an example for configuring clientCredentialType as windows administratively.

For example:
<security mode=Message>


         <message clientCredentialType=Windows ……/>


</security>


2.       Apply Impersonate property of operation behavior as ImpersonationOption.Required programmatically.

For example:


[operationbehavior(Impersonation=Impersonation.Required)]
String  ImpersonatedOP()


{


          ……//Impersonate client to do some work, for example, connect to a DB Server.


}


      3.   Configuration for servicePrincipalName  or  userPrincipalName  programmatically or administratively

        a. If WCF service is running under a built-in machine account (for example: Network Service), we should configure servicePrincipalName   formatted as follows:



                  < identity >< servicePrincipalName value=”host/<FQDN>”></ identity >



       For example:
        < identity ><servicePrincipalName value=”host/myserver.mydc.com>”></ identity >
 


       b. If WCF Service is running under a domain account, we should configure userPrincipalName  formatted as follows:



             <identity><userPrincipalName value=”account@domain” />  </identity>



 For example:



            <identity><userPrincipalName value=”testaccount@mydc” />  </identity>
        
         NOTE: we can also configure it programmatically


WCF Client perspective:


1.       Apply AllowedImpersonationLevel to Impersonate  for the client endpoint behavior. And if the impersonated client credential needs to access resources across current machine, AllowImpersonateionLevel must be set as Delegate as below.
For example:



Impersonation scenario:



<behaviors>


            <endpointBehaviors>


         <behavior name=NewBehavior>


           <clientCredentials>


             <windows allowedImpersonationLevel= Impersonation />


           </clientCredentials>


        </behavior>


       </endpointBehaviors>


     </behaviors>

             Delegation scenario:



     <behaviors>


            <endpointBehaviors>


         <behavior name=NewBehavior>


           <clientCredentials>


             <windows allowedImpersonationLevel= Delegation />


           </clientCredentials>


        </behavior>


       </endpointBehaviors>


      </behaviors>


DC perspective (only required for Delegation scenario)


For the scenario that the client credential needs to be delegated, we must enable the WCF host or the identity under which WCF service is running delegation.



1.  If WCF server is running under a build-in machine account (for example: Network Service) we must set “trust this computer for delegation to …” as below screenshot shows.
 


DC1.JPG


2. If WCF service is running under a domain account, we must set “trust this user for delegation to…” as below screenshot shows
 


DC2.JPG


 


References
<userPrincipalName>
http://msdn.microsoft.com/en-us/library/aa347702.aspx


<servicePrincipalName>
http://msdn.microsoft.com/en-us/library/aa347698.aspx


Delegation and Impersonation with WCF
http://msdn.microsoft.com/en-us/library/ms730088.aspx


Best Regards,


 


Winston He


 

Comments (0)

Skip to main content