I have a WCF web service, the currently served WSHttpBinding endpoint with transport protection and Windows client credential type. The service is hosted on top of IIS 5.1 using SSL configured using a certificate from a domain certification authority. IIS itself works with the identifier test@domain.com on the domain computer. Anonymous access is disabled, and integrated Windows authentication is the only authentication method.
The service has a method that returns the current Windows identifier name and impersonation level. The method has the value "Avatar" in "Required" in its attribute OperationBehaviourAttribute.
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public IEnumerable<string> GetInformation()
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
return new List<string>()
{
identity.Name,
identity.ImpersonationLevel.ToString()
};
}
I build the WCF channel manually in the client and allow delegation for the service.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
EndpointAddress endpoint =
new EndpointAddress("https://host/DelegateService/Service.svc");
ChannelFactory<ServiceInterface.IService> cf =
new ChannelFactory<ServiceInterface.IService>(binding, endpoint);
cf.Credentials.Windows.AllowedImpersonationLevel =
TokenImpersonationLevel.Delegation;
ServiceInterface.IService service = cf.CreateChannel();
XBAP, , Trusted Publishers.
-, test@domain.com current@domain.com , . SeImpersonatePrivilege , .
, "domain\current" "Impersonation". , , "domain\current" "Delegation". http://msdn.microsoft.com/en-us/library/ms730088.aspx , .
Windows 2000 Mixed. - , NTLM, , . https, Wireshark supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) http, , Kerberos .
Windows 2003, , , W2K3, - , , .
, Windows Server 2003, IIS, , .
, . , " ", . , ?