Impersonation and Delegation are important concepts around the services’ world. Impersonation restricts client access to resources in the local machine where is running the service and Delegation restricts client access to resources on other machine. In my scenario, I was trying to access from a WCF service to Dynamics CRM 4.0 services using Delegation.
In WCF, Delegation is a special type of Impersonation, which can be configured easily according to the next good articles:
However, some points are not really emphasized and you shouldn’t forget them:
- Allow impersonation in the corresponding server. This configuration must be set from the domain controller.
- User who is running WCF service must have enough privileges to impersonate the expected users
- Allow Delegation from the client side. You have two options to do it:
- Client Config. file:
<behaviors> <endpointBehaviors> <behavior name="NewBehavior"> <clientCredentials> <windows allowedImpersonationLevel="Delegation" /> </clientCredentials> </behavior> </endpointBehaviors> </behaviors>
proxy.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
- Set the userPrincipalName properly in client configuration file according to the user who is running the WCF service:
<client> <endpoint address="service address with an allowed protocol to impersonate" behaviorConfiguration="NewBehavior" binding="Allowed protocol to impersonate" bindingConfiguration="defaultEndPoint" contract="MyAssembly.MyContract" name="defaultEndPoint"> <identity> <userPrincipalName value="email@example.com" /> </identity> </endpoint> </client>