Credential Delegation Issue with WCF

Question

All the three machines are in the same Domain

• Machine 1 - has the application which is running under the user1, from where request is generated
• Machine 2 - Is a windows service running under Network Service which hosts WCF services, using WSHttpBinding
• Machine 3 - Shared folder, where the user1 has permission to write to the folder

Ideally, WSHttpBinding automatically transfers the Security Context, from the application to the WCF Service, and hence it should be able to write the file in the shared location. Because, if we directly try to write the file from the Application on Machine 1 to Machien 3 Share Location, it is successful.

But, to our surprise, its not able to write the file to the Shared Location, through the Service. We are getting "Access Denied"

As I told we are using WSHttpBinding, and ideally the user context get transferred to the Service. In the Client, i.e. Machine 1, the impersonation level is set as System.Security.Principal.TokenImpersonationLevel.Impersonation; So the Network Service can impersonate itself as Domain\user1. Is that enough to write into the folder in the 3rd machine?

Or should we set the Client impersonation Level as System.Security.Principal.TokenImpersonationLevel.Delegation? (We tried both and it did not work)

Also, another piece of information: Machine 2 is “trusted for delegation”. SPN is setup for this machine in the domain controller.

The operation contract is declared as

[OperationBehavior(Impersonation = ImpersonationOption.Required)] 
public void WriteData(string content) 
{ 

}

And still we are facing this issue.

Answer 1

You need delegation for that. Impersonation has only local scope on machine 2.