Impersonation and Delegation in WCF


Impersonation is a technique that WCF Services use to authorize the caller’s identity to access to service resources such as files and database tables. Service resources can be located either on local service machine or remotely hosted. The resources are being accessed by WCF Service’s process identity or specific windows identity.

Difference between Impersonation and Delegation in WCF?

Impersonation is used to access the resources when the resources are on the same machine as the service. Delegation is used to access the resources that are remotely hosted.

There are two types of Impersonation in WCF

  • Imperative Impersonation – Perform programmatically at run time
  • Declarative Impersonation – Applied with a static attribute which associated with an operation.

Use Impersonation when

  • You want to access windows resources that are protected with access control lists(ACL’s).
  • You need to use specific identity or several windows identities to access resources.

Use Delegation when

  • You need to access network resources.

Declarative Impersonation

   1: [OperationBehavior(Impersonation = ImpersonationOption.Required)]

   2: public string GetData(int value)

   3: {

   4: return “test”;

   5: }

When you want to impersonate the original caller for the entire duration of a specific operation. You can use OperationBehavior attribute on any operation that requires client impersonation.

You can impersonate the original caller declaratively for the entire service. You can do this by setting the impersonateCallerForAllOperations attribute to true in WCF configuration file.

   1: <behaviors>

   2: <serviceBehaviors>

   3: <behavior name="ServiceBehavior">

   4: <serviceMetadata httpGetEnabled="true" />

   5: <serviceDebug includeExceptionDetailInFaults="false" />

   6: <serviceAuthorization impersonateCallerForAllOperations="true" />

   7: </behavior>

   8: </serviceBehaviors>

   9: </behaviors>

You can impersonate the original caller programmatically within an operation as below

   1: public string GetData(int value)

   2: {

   3: using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())

   4: {

   5: // return the impersonated user (original users identity)

   6: return string.Format("Hi, {0}, you have entered: {1}",

   7: WindowsIdentity.GetCurrent().Name, value);

   8: }

   9: }

Delegation Options in WCF

When your service needs to access remote\network resources on behalf of the original caller or a fixed identity in the following ways

Use Kerberos authentication and delegationIf you want your service run under network service account then configure your computer account in Active Directory to be trusted for delegation.

If your application runs under a custom domain account then you must register service principal name(SPN) in active directory to associate domain account with HTTP service WCF server.

Non-Kerberos authentication -  You can use client certificates to authenticate users and then use new WindowsIdentity constructor to obtain a windows token for the user on the server.

Interactive Logon SessionUse this approach when you can not authenticate your users using Kerberos and when you can not use certificate authentication. This technique allow your users to access network resources using network credentials.

Controlling Impersonation on the Client Side

Windows credentials have an AllowedImpersonationLevel property which you can set to one of the following TokenImpersonationLevel options in order to control the impersonation level.

   1: <behaviors>

   2: <endpointBehaviors>

   3: <behavior name="NewBehavior">

   4: <clientCredentials>


   6: <windows allowedImpersonationLevel="Impersonation" />


   8: </clientCredentials>

   9: </behavior>

  10: </endpointBehaviors>

  11: </behaviors>

You can set allowedImpersonationLevel attribute to one of the below values

  • None
  • Anonymous
  • Identification
  • Impersonation
  • Delegation

More about Impersonation and Delegation of WCF at U

Share this post :

Leave a reply

Why ask?