Home/ Questions/Q 67775
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T19:18:46+00:00

This may be a doozy, but does anyone have an idea how to: Pass

  • 0

This may be a doozy, but does anyone have an idea how to:

Pass the users windows token (authenticated from domain) to the wcf service that is called – the service would then perform an action based on the users windows credentials that made the call.

ie: Client -> WCF -> SOME 3rd PARTY REPOSITORY THAT INTEGRATES WITH ACTIVE DIRECTORY.

I have a wcf data tier that is responsible for returning all of the data – currently the customer makes calls to this service. This service retrieves documents from a repository. The customer would like to accomplish this by managing all of the accounts with AD sincee the repository supports AD integration.

Any help would be appreciated – thank you 🙂

———- update I have followed jezell’s article but i still have issues.

I want to use upn as opposed to spn (so that the account can be locked down and more secure), but im not sure what i’ve got that is wrong.

I have created the spn’s on the AD server (tried every combination, no duplicates)

Here is some code snippet, maybe someone has an idea of what im doing wrong.

Dim binding As New NetTcpBinding() binding.Security.Mode = SecurityMode.Message binding.Security.Message.AlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128 binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows  Dim upn As String = 'usertest@testdomain.com'  Dim ep As New EndpointAddress(New Uri('net.tcp://server1.testdomain.com:1111/ServiceTest') _     , EndpointIdentity.CreateUpnIdentity(upn))  Dim factory As New ChannelFactory(Of Credential.Interface.ICredentialTest)(binding, ep) factory.Credentials.Windows.AllowNtlm = False factory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation  Dim iproxy As Credential.Interface.ICredentialTest = factory.CreateChannel() Dim co As ICommunicationObject = CType(iproxy, ICommunicationObject) iproxy.ToService(result)

Now i get the error: ‘The identity check failed for outgoing message. The expected identity is… All i can find on this relates to using certificates, which im not doing.

Thanks 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. This is known as delegation. Set the allowed impersonation level in the client configuration to ‘Delegation’ and disable NTLM authentication on the server side. I have a post with a more in depth discussion here:

    http://www.iserviceoriented.com/blog/post/Delegation+-+WCF+Gotcha+2.aspx

    • 0