WCF Impersonation Error Calling ASMX

Question

I have a web app that is calling a WCF Method with Impersonation set as required. In this method, I need to call another web service (ASMX) that returns security groups. The problem is, with the Impersonation set as Required, I get an error when I try to create an instance of the ASMX service.

WCF Service Method

[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public List<MacroTypeInfo> GetFilteredMacroDataTypes(MacroDataTypeSection section)
{

    // Errors out here
    using (var login = new local.intranet.webservices.login())
    {
        login.getSecurityGroupsForUser(); // Never gets to this line
    }    

}

The error I get is

Either a required impersonation level was not provided, or the provided    
impersonation level is invalid. (Exception from HRESULT: 0x80070542)

Is there something else I must do to be able to call this web service insides this Impersonation required method? As soon as I remove the OperationBehavior attribute, the call works.

Answer 1

A server cannot impersonate a client to a remote server unless given permission. You can read about the different levels of impersonation here

If such impersonation is required the client has to allow it explicitly with an impersonation level of Delegation .

You can achieve this in a WCF client with the following endpoint behavior configuration:

<endpointBehaviors>
    <behavior name="delegateIdentity">
      <clientCredentials>
        <windows allowedImpersonationLevel="Delegation"/>
      </clientCredentials>
    </behavior>
</endpointBehaviors>

If you're using a generated proxy you can set this value on the proxy:

client.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Delegation;

Lastly if you're creating you proxy with a ChannelFactory<T> you can just set the same value as above on you ChannelFactory<T> .