How to delegate the original caller to call backend services when using Windows authentication
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Use delegation for flowing the impersonated original user's security context (windows identity) to the remote back-end service. On the remote back-end service the original user’s windows identity can be used to authenticate or impersonate the original caller,
to restrict or authorize original caller’s access to local resources.
For delegating the original caller to back end resources
- Configure the WCF Process Identity to be trusted for delegation. On Windows Server 2003 or later, use constrained delegation. This allows administrators to specify exactly which services on a downstream server or a domain account can be accessed.
- Impersonate the original caller using either programmatic impersonation or declarative impersonation, when accessing the downstream resources.