Impersonation in MSE for Non MS clients & Legacy apps

Topics: Technical Questions, Usage Scenarios
Feb 4, 2010 at 5:35 AM

We are currently evaluating MSE for service virtualization. One of the security requirement is to flow windows credentials through MSE to physical service. As per the security guide, we have applied a flow transport token policy at virtual endpoint and Identity Aware Channel policy at resource with identity flow type as windows. We are getting the right results when are testing the service using MSE Service Tester.

First we accessed the virtual service by checking “User Credentials" option and selecting Impersonation Level as Impersonation. Credentials of logged in user was passed through MSE to physical service.

Second we accessed the virtual service without checking "User Credentials". Credentials of MSE runtime service account was passed to physical service, since user credentials and impersonation was not explicitly set in Service Tester client.

What I would like to know is it a requirement to explicitly set user credentials and impersonation levels at client code to pass the windows credentials (logged in user), if we are accessing a physical service via MSE?  For accessing the physical directly from service tester, we don’t need to set the user credential option or set the impersonation level. The logged in user credentials are passed to physical service without that.

Setting the user credentials and impersonation levels for .Net clients would not be a problem. But for non-ms clients and legacy apps, it could be an issue.

Any pointers?



Feb 4, 2010 at 7:40 AM

The windows token presented to the service determines if the service is capable of using the token for impersonation.  The default impersonation level for a wcf client is Identification which presents a token that does not allow impersonation.  The client must explicitly allow his/her identity to be impersonated by setting the correct impersonation level. 

I don't know what the default behavior is for other technology stacks (java for example) with respect to presenting tokens that allow impersonation.

Feb 8, 2010 at 5:11 AM

Thanks Botto for the quick reply. I got one more question with respect to the above query.

Is there a way to set the impersonation level inside MSE so that client doesnt have to set it explicitly? If yes, then at what stage we should set that.