1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2008
    Rep Power

    Delegation with WCF hosted in IIS - Impersonation level is not Delegation

    EDITED Note: My original question was far too long and an information overload so I have removed almost everything and will focus on asking just a couple of key questions on how to use delegation in practice.

    Problem: I am trying to setup delegation so that a WCF service can invoke operations on a WSE2 service using the credentials of the authenticated identity that made the call to the WCF service. My understanding is that delegation allows a service to access network resources using the caller's identity. I am making an assumption that a WSE2 asmx service would be considered a network resource and that delegation will allow me to pass the correct authenticated token on to the WSE2 service.

    The following is a scenario that I currently have setup. I am confused as to where delegation actually needs to take place. That is, at what point the impersonation level must be set to delegation.

    Scenario 1: {windows7 - unit test} --[using delegation]--> [[GATEWAY]] --> {windows7 - WCF} --[using delegation]--> [Windows Server 2008 R2 Standard - WSE2]

    In this scenario the client is a unit test running under my domain account. In practice there will be a website that the user will login to and the call to the WCF service will be made using the authenticated user's identity.

    1. Should the thread Impersonation Level at the WCF be set to Delegation or Impersonation? In other words, should the following be the expected scenario?
      Scenario 1: {windows7 - unit test} --[using impersonation]--> [[GATEWAY]] --> {windows7 - WCF} --[using delegation]--> [Windows Server 2008 R2 Standard - WSE2]
      Currently when I check the thread impersonation level it is set to Impersonate at the WCF service, but I was expecting it to be delegate.
    2. There is a gateway/firewall between the client and the services. The services are in the same subdomain, which is a different subdomain then the one that the clients are in. So in the scenario above the unit test is not in the same subdomain as the services. Will this cause problems?
    3. The asmx will not be calling other services. It is the asmx that the WCF service is trying to access using the authenticated user's identity via delegation. Does the asmx service require special configuration or AD settings to be setup as the target of delegation? Currently the Server is set to "Trust this computer for delegation to any service (Kerberos only)", but calls to any operation on the service fail with 401 unauthorized.
    4. My unit test does not call any code to login a user. The process is run under my windows identity. The WCF services shows:

      Thread Identity :EXAMPLE\dustfinger
      Thread Impersonation level :Impersonation
      Thread Authentication Type :Kerberos
      Is Authenticated:True
      hToken :2492

      My understanding is that I shouldn't have to explicitly log myself in via code during teh execution of the unit test before calling the WCF service since I am already logged into my computer and have an authenticated windows identity. In the future the WCF service will be called from a website and the user will log into that website. So this is a source of confusion for me. Also, notice the thread impersonation in the log above is Impersonation and not Delegation.

    Thank you kindly in advance,

    Last edited by dustfinger; July 15th, 2013 at 05:24 PM. Reason: Revised question to be less verbose and more focused

IMN logo majestic logo threadwatch logo seochat tools logo