Need help in WCF authentication scenario RRS feed

  • Question

  • Hello

    I need a hint to implement the following scenario correctly.

    We want to implement a double-hop authentication, so that a client (plain http request with Windows authentication switched on in IIS) can call a WCF-service via BizTalk using either the client (caller) credentials or the credentials of BizTalk service user account. After setting up a straight forward test environment, the WCF-service reports that the BizTalk service user is assigned to ServiceSecurityContext.Current.PrimaryIdentity.

    I tried to change the behavior in BizTalk WCF-Custom send port by setting the allowedImpersonationLevel (in behavior->client credentials->windows) to Impersonation/Delegation. But I can't see any change. Do I miss something?

    Rgds Mrks


    Monday, August 8, 2011 9:46 AM

All replies

  • You need to mark the handler (i.e BizTalk host) used for this receive location as Authentication Trusted. You can refer to this article to know more about authentication of message in BizTalk.

    Don't forget to mark the post as answer or vote as helpful if it does, Regards -Rohit Sharma (
    Thursday, August 11, 2011 7:15 AM
  • Hi Rohit

    Thanks for your reply. According to your advice, I've configured the isolated host in BizTalk to be Authentication Trusted. However I still receive the credentials of the BizTalk service account in the final WCF Service.

    I have to check if the IIS Host is trusted for delegation. Any further advices?

    Just to recap:

    • The calling web client uses domain credentials A to connect to BizTalk Receive Location using Windows Authenntication
    • The BizTalk host running the receive location (Isolated Host) is now Authentication Trusted
    • The receive pipeline successfully resolves the party and sets SSID and PID
    • WCF-Custom SendPort (binding: basicHttp) has allowedImpersonationLevel = Impersonation in clientCredential behavior (Windows section)
    • The message is sent by BizTalk to WCF Service (still having all the context properties) using Windows Authentication again
    • The user assigned to ServiceSecurityContext.Current.PrimaryIdentity in WCF Service is the BizTalk service user but should be A from the calling web client


    Friday, August 12, 2011 8:25 AM
  • The article by Paolo ( provides some scenarios how to implement impersonation/ delegation with BizTalk. I tried to follow scenario 1 but, unfortunately, still no luck. My POC stops with an "Either a required impersonation level was not provided, or the provided impersonation level is invalid" error.
    Friday, August 12, 2011 3:07 PM
  • Hello

    Try this How to configure Windows Authentication for a WCF Service with Client Credential passed through to BizTalk over SSL

    Good luck!

    For double hot, be sure to enable Impersonation/Delegation on the Server via the Domain controller, and the AD Object for the Service Account. Also, be sure to set up a SPN for the Service Account.

    Jason Sauers

    • Proposed as answer by Jason Sauers Monday, April 4, 2016 2:59 PM
    Sunday, March 13, 2016 2:37 PM