How to Delegate the Original Caller to Call Backend Services When Using Windows Authentication

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

Use delegation for flowing the impersonated original user's security context (windows identity) to the remote back-end service. On the remote back-end service the original user’s windows identity can be used to authenticate or impersonate the original caller, to restrict or authorize original caller’s access to local resources.

For delegating the original caller to back end resources
  1. Configure the WCF Process Identity to be trusted for delegation. On Windows Server 2003 or later, use constrained delegation. This allows administrators to specify exactly which services on a downstream server or a domain account can be accessed.
  2. Impersonate the original caller using either programmatic impersonation or declarative impersonation, when accessing the downstream resources.

Additional Resources

Last edited Jun 13, 2008 at 7:37 PM by prashantbansode, version 1

Comments

No comments yet.