[WCF] Delegation between WCF and CRM Services

Impersonation and Delegation are important concepts around the services’ world. Impersonation restricts client access to resources in the local machine where is running the service and Delegation restricts client access to resources on other machine. In my scenario, I was trying to access from a WCF service to Dynamics CRM 4.0 services using Delegation.

In WCF, Delegation is a special type of Impersonation, which can be configured easily according to the next good articles:

However, some points are not really emphasized and you shouldn’t forget them:

  • Allow impersonation in the corresponding server. This configuration must be set from the domain controller.
  • User who is running WCF service must have enough privileges to impersonate the expected users
  • Allow Delegation from the client side. You have two options to do it:
    • Client Config. file:
                <behavior name="NewBehavior">
                        <windows allowedImpersonationLevel="Delegation" />
    • Programmatically:
proxy.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
  • Set the userPrincipalName properly in client configuration file according to the user who is running the WCF service:
            <endpoint address="service address with an allowed protocol to impersonate"
                behaviorConfiguration="NewBehavior" binding="Allowed protocol to impersonate"
                bindingConfiguration="defaultEndPoint" contract="MyAssembly.MyContract"
                  <userPrincipalName value="serviceuser@mydomain.com" />

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s