We are currently evaluating MSE for service virtualization. One of the security requirement is to flow windows credentials through MSE to physical service. As per the security guide, we have applied a flow transport
token policy at virtual endpoint and Identity Aware Channel policy at resource with identity flow type as windows. We are getting the right results when are testing the service using MSE Service Tester.
First we accessed the virtual service by checking “User Credentials" option and selecting Impersonation Level as Impersonation. Credentials of logged in user was passed through MSE to physical service.
Second we accessed the virtual service without checking "User Credentials". Credentials of MSE runtime service account was passed to physical service, since user credentials and impersonation was not explicitly
set in Service Tester client.
What I would like to know is it a requirement to explicitly set user credentials and impersonation levels at client code to pass the windows credentials (logged in user), if we are accessing a physical service
via MSE? For accessing the physical directly from service tester, we don’t need to set the user credential option or set the impersonation level. The logged in user credentials are passed to physical service without that.
Setting the user credentials and impersonation levels for .Net clients would not be a problem. But for non-ms clients and legacy apps, it could be an issue.