I have a WCF web service, currently served over WSHttpBinding endpoint with Transport security and Windows client credential type. The service is hosted on top of IIS 5.1 with SSL configured using a certificate from the domain certificate authority. IIS itself runs with the identity of [email protected] on a domain computer. Anonymous access is disabled and Integrated Windows Authentication is the only way to authenticate.
The service has a method which returns the current windows identity name and impersonation level. The method has Impersonation set to Required in its OperationBehaviourAttribute.
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public IEnumerable<string> GetInformation()
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
return new List<string>()
{
identity.Name,
identity.ImpersonationLevel.ToString()
};
}
I'm building the WCF Channel manually in the client and allowing the delegation for the service.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
EndpointAddress endpoint =
new EndpointAddress("https://host/DelegateService/Service.svc");
ChannelFactory<ServiceInterface.IService> cf =
new ChannelFactory<ServiceInterface.IService>(binding, endpoint);
cf.Credentials.Windows.AllowedImpersonationLevel =
TokenImpersonationLevel.Delegation;
ServiceInterface.IService service = cf.CreateChannel();
The client is a fully trusted XBAP signed with a domain certificate which has been moved to Trusted Publishers cert store.
The host computer, [email protected] and [email protected] have Allow Delegation set up in the domain and none of the users is marked as sensitive. The SeImpersonatePrivilege shouldn't be the problem either as Impersonation works.
When the client calls the service method the method returns "domain\current" and "Impersonation". What I require is "domain\current" and "Delegation". According to the second table at http://msdn.microsoft.com/en-us/library/ms730088.aspx this would imply that the client or the service are not capable of delegation.
The domain has functional level of Windows 2000 Mixed. I read somewhere that this implies NTLM authentication but I believe that referred to the traffic between domain controllers. When not running on top of https Wireshark shows supportedMech: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) in the http response so it seems that Kerberos is enabled.
Technically we could raise the functional level up to Windows 2003 as the two Domain Controllers we have are both W2K3 servers but the IT department is currently unable to allocate resources to the backup operations and such which they want to do before they go and raise the functional level.
We do have a virtual test domain which could be upgraded to a functional level of Windows Server 2003, but this domain lacks certificate authority or client computers with IIS installed so while the functional level could be raised for testing purposes, setting up rest of the infrastructure is quite much work.
This is a problem I have been unable to solve for some time. Web seems to be full of "This is how you do it" kind of articles but I've not had any luck with these. Any ideas what is wrong?