WCF Service Impersonation

Question

Good Day Everyone...

Apparently, I'm not setting-up impersonation correctly for my WCF service. I do NOT want to set security on a method-by-method basis (in the actual code-behind). The service (at the moment) is open to be called by everyone on the intranet.

So my questions are…

Q: What web-config tags am I missing?

Q: What do I need to change in the web-config to make impersonation work?

The Service Web.config Looks Like...

<configuration>
    <system.web>
        <authorization>
            <allow users="?"/>
        </authorization>
        <authentication mode="Windows"/>
        <identity impersonate="true" userName="MyDomain\MyUser" password="MyPassword"/>
    </system.web>
    <system.serviceModel>
        <services>
            <service behaviorConfiguration="wcfFISH.DataServiceBehavior" name="wcfFISH.DataService">
                    <endpoint address="" binding="wsHttpBinding" contract="wcfFISH.IFishData">
                    <identity>
                        <dns value="localhost"/>
                    </identity>
                </endpoint>
                    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
                </service>
            </services>
        <behaviors>
            <serviceBehaviors>
                <behavior name="wcfFISH.DataServiceBehavior">
                    <serviceMetadata httpGetEnabled="false"/>
                    <serviceDebug includeExceptionDetailInFaults="false"/>
                </behavior>
            </serviceBehaviors>
        </behaviors>
    </system.serviceModel>
</configuration>

Answer 1

If you always want to impersonate the client, for all operations, then add the following to the <behavior> element, i.e. after the <serviceMetadata> element:

<serviceAuthorization impersonateCallerForAllOperations="true" />

---

If you're trying to impersonate at the application level, then you normally can't do this in WCF, since WCF isn't really part of the ASP.NET pipeline.

The easiest workaround is just to put the WCF application in its own Application Pool and set the process identity of the pool to the user you want to impersonate.

The other way is turn on ASP.NET compatibility mode, adding this to <system.servicemodel>:

<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>

You also sometimes need to decorate your service with:

[AspNetCompatibilityRequirements(
    RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]

But keep in mind that this is going to limit your ability to take advantage of a lot of other newer WCF features like MSMQ or TCP bindings. I prefer the segregated app pool approach.