Impersonation In WCF

http://msdn.microsoft.com/en-us/library/ms731090.aspx

http://www.danrigsby.com/blog/index.php/2008/04/17/impersonate-a-clients-identity-in-wcf/

Impersonation is a common technique that WCF services use to assume the original caller's identity in order 
to authorize access to service resources (such as files or database tables). 
Service resources can be resources that are either local to the service machine or remotely hosted. 
Impersonation is used to access resources on the same machine as the service, while delegation is used to access resources that are remotely hosted.

By default, impersonation is disabled and resources are accessed by using the WCF service's process identity. 
Impersonation allows you to access local resources and perform other operations using the authenticated user's identity 
or a specific Windows identity. You can enable impersonation either programmatically or by applying appropriate attributes at operation or service levels.

Both impersonation and delegation require that the client have a Windows identity. If a client does not possess a Windows identity, then the only option available is to flow the client’s identity to the second service.

To enable impersonation of a client from a cached Windows token on a service

[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public double Add(double a, double b)
{
    return a + b;
}

ImpersonationOption	ImpersonateCallerForAllServiceOperations	Behavior
Required	n/a	WCF impersonates the caller
Allowed	false	WCF does not impersonate the caller
Allowed	true	WCF impersonates the caller
NotAllowed	false	WCF does not impersonate the caller
NotAllowed	true	Disallowed. (An InvalidOperationException is thrown.)

To set the allowed impersonation level on the proxy client

CalculatorClient client = new CalculatorClient("CalculatorEndpoint");
client.ClientCredentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Impersonation;

1. Impersonation: The server process can impersonate the client’s security context on its local system. The server cannot impersonate the client on remote systems.
2. Delegation: The server process can impersonate the client’s security context on remote systems.

Sample:

When the service execute by "userAdmin"

Service

 public class SocialStatus : ISocialStatus
    {
        [OperationBehavior(Impersonation = ImpersonationOption.NotAllowed)]
        public string UpdateStatus(string text)
        {
            return String.Format("{0}", WindowsIdentity.GetCurrent().Name);
        }
    }

Client

using (ChannelFactory<ISocialStatus> factory = new ChannelFactory<ISocialStatus>("SocialClient"))
            {
                factory.Credentials.Windows.ClientCredential = new NetworkCredential("userABC", "password");
                ISocialStatus socialChannel = factory.CreateChannel();
                Console.WriteLine(socialChannel.UpdateStatus("aaa"));
            }

Output: UserAdmin

Service

 public class SocialStatus : ISocialStatus
    {
        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        public string UpdateStatus(string text)
        {
            return String.Format("{0}", WindowsIdentity.GetCurrent().Name);
        }
    }

Output: userABC