转WCF Impersonation for Hosted Services RRS feed

  • 常规讨论

  • 原文地址
    WCF Impersonation for Hosted Services

    In my blog entry “ASP.NET Compatibility Mode”, I showed how to perform impersonation with ASP.NET. WCF provides more flexible service operation level impersonation. Here is a common question that I heard:



    How can I use WCF impersonation for hosted services with BasicHttpBinding?



    You can use different security modes (specified in BasicHttpSecurityMode) to achieve this:

    • Message
    • Transport
    • TransportCredentialOnly
    • TransportWithMessageCredential

    Here I will just show how to use “TransportCredentialOnly” mode which needs special treatment for hosted case.

    Step 1: Implement the operation

    In order to enable impersonation, you need to specify the impersonation option on your service operation. Here is a simple service contract:


        interface IHelloService



            string Hello(string text);


    To enable impersonation for the operation “Hello”, you need to specify the Impersonation property for the OperationBehavior attribute in the operation implementation as following:


    public string Hello(string text)


        return string.Format("Hi {0}, you said: {1}", WindowsIdentity.GetCurrent().Name, text);


    Step 2: Create the binding

    To specify the security mode to “TransportCredentialOnly”, there are different types of authentication types that we can use. The most common secure type is “Windows” which means that the underlying transport will use Kerberos (or NTLM if Kerberos is not supported) negotiation. Here is a sample configuration section:


        <binding name="MyAuthBinding">

            <security mode="TransportCredentialOnly">

                <transport clientCredentialType="Windows"/>





    Step 3: Configure the virtual application in IIS

    Now that we have WCF service implementation and binding settings, we need to configure IIS to host the service correctly. Here are the steps:

    • Create a virtual application called “sample” in IIS to host your service.
    • Ensure to turn on “Integrated Windows authentication” for this virtual application. This will allow IIS to use Kerberos to perform authentication. Specifying a different scheme will cause WCF service activation error.

    At this point, you have the hosted WCF service ready to handle requests.

    Step 4: Create a client

    Now we can create a simple client to connect to the above service. Here is the binding that matches the one on the service-side:

    BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);

    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

    With this binding, we can easily create a proxy to connect to the service:

    ChannelFactory<IHelloService> factory = new ChannelFactory<IHelloService>(

        binding, new EndpointAddress("http://localhost/sample/service.svc"));

    IHelloService proxy = factory.CreateChannel();





    The sample code is attached.


    Posted: Thursday, May 18, 2006 5:19 AM by wdong
    Filed under: <input id="ctl00___ctl00___ctl02___Entry___InlineTagEditorPanel_State" name="ctl00$_$ctl00$_$ctl02$_$Entry$_$InlineTagEditorPanel" type="hidden" value="nochange" />


    Frank Xu Lei--谦卑若愚,好学若饥
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    2010年1月25日 9:07