Impersonate Client Identity in WCF w/ netTcpBinding

Question

Is it possible to impersonate a client's identity when invoking a netTcp endpoint operation via configuration? There is a section within the WCF config client as shown below:

<client>
    <endpoint 
        address="net.tcp://localhost:8081/tcpExample" 
        binding="netTcpBinding"
        bindingConfiguration="myTcpBinding" 
        contract="TestTcp.IHelloTcp"
        name="NetTcpBinding_IHelloTcp">
        <identity>
            <userPrincipalName value="leethax@mydomain.inc" />
        </identity>
    </endpoint>
</client>

My client doesn't fail, it seems like the identity attached to the client is the current logged in user, i.e. me.

Answer 1

HMm... not sure I follow. The default behavior for netTcpBinding is to use Windows credentials - e.g. your current Windows account is used for the service credentials.

That's the default right out of the box.

If you want to impersonate some other user, no, you cannot do this in configuration - you have to do this in code. That's the only way to go, sorry.

MyServiceClient client = new MyServiceClient();
client.ClientCredentials.Windows.ClientCredential.Domain = domain;
client.ClientCredentials.Windows.ClientCredential.UserName = username;
client.ClientCredentials.Windows.ClientCredential.Password = password;

The only way to specify a different user in config would be to use a certificate which defines another user account to be used. You cannot configure a straight Windows user account along with its password in your config files.

Answer 2

You really have three options:

1. Manual impersonation (WindowsIdentity.Impersonate)
2. Declarative impersonation (OperationBehavior(Impersonation = Impersonation.Required))
3. Full impersonation (ServiceAuthorizationBehavior.ImpersonateCallerForAllOperations)

Also, be sure that the account under which you are running your service (i.e. leethax@mydomain.inc) is granted the proper permissions at both a machine and domain level.