How to: Impersonate a Client on a Service
Impersonating a client on a Windows Communication Foundation (WCF) service enables the service to perform actions on behalf of the client. For actions subject to access control list (ACL) checks, such as access to directories and files on a machine or access to a SQL Server database, the ACL check is against the client user account. This topic shows the basic steps required to enable a client in a Windows domain to set a client impersonation level. For a working example of this, see Impersonating the Client. For more information about client impersonation, see Delegation and Impersonation with WCF.
Note
When the client and service are running on the same computer and the client is running under a system account (that is, Local System or Network Service), the client cannot be impersonated when a secure session is established with stateful Security Context tokens. A WinForms or console application typically is run under the currently logged in account, so that account can be impersonated by default. However, when the client is an ASP.NET page and that page is hosted in IIS 6.0 or IIS 7.0, then the client does run under the Network Service account by default. All of the system-provided bindings that support secure sessions use a stateless Security Context token by default. However, if the client is an ASP.NET page and secure sessions with stateful Security Context tokens are used, the client cannot be impersonated. For more information about using stateful Security Context tokens in a secure session, see How to: Create a Stateful Security Context Token for a Secure Session.
To enable impersonation of a client from a cached Windows token on a service
Create the service. For a tutorial of this basic procedure, see Getting Started Tutorial.
Use a binding that uses Windows authentication and creates a session, such as NetTcpBinding or WSHttpBinding.
When creating the implementation of the service's interface, apply the OperationBehaviorAttribute class to the method that requires client impersonation. Set the Impersonation property to Required.
<OperationBehavior(Impersonation := ImpersonationOption.Required)> _ Public Function Add(ByVal a As Double, ByVal b As Double) As Double _ Implements ICalculator.Add Return a + b End Function
[OperationBehavior(Impersonation=ImpersonationOption.Required)] public double Add(double a, double b) { return a + b; }
To set the allowed impersonation level on the client
Create service client code by using the ServiceModel Metadata Utility Tool (Svcutil.exe). For more information, see Accessing Services Using a WCF Client.
After creating the WCF client, set the AllowedImpersonationLevel property of the WindowsClientCredential class to one of the TokenImpersonationLevel enumeration values.
Note
To use Delegation, negotiated Kerberos authentication (sometimes called multi-leg or multi-step Kerberos) must be used. For a description of how to implement this, see Best Practices for Security in WCF.
Dim client As New CalculatorClient("CalculatorEndpoint") client.ClientCredentials.Windows.AllowedImpersonationLevel = _ System.Security.Principal.TokenImpersonationLevel.Impersonation
CalculatorClient client = new CalculatorClient("CalculatorEndpoint"); client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
See Also
Reference
OperationBehaviorAttribute
TokenImpersonationLevel
Concepts
Delegation and Impersonation with WCF
Other Resources
© 2007 Microsoft Corporation. All rights reserved.
Last Published: 2010-03-21