Getting the Client's Password

I'm writing a middle-tier service that needs to act as the client. I can get the user name from the client credentials but the password isn't available. How do I get the client's password?

Most reputable security systems never give the service access to the client's password. What they do give the service is the client's identity and some token that provides proof that the client is who they claim they are. There's no way to pass that token on without cooperation by the security system. This cooperation process is called credential delegation. I've talked about delegation of credentials in the past and shown how to impersonate with delegation.

Alternatively, you can use a security system that does not protect the user's password. HTTP basic authentication sends the user's password to the service, allowing the server to do whatever it wishes with that password. Similarly, you can specify user name and password client credentials for message security but set EstablishSecurityContext to false. This lets the client send message security credentials without the intermediary consuming them. If you use this approach, you should enable transport security to prevent other people from reading the client's password during transmission.

Next time: Tuning Service Throttles