Routing and Impersonation

Can the routing service introduced with .Net 4 be used with impersonation?

Yes, the routing service can be used with impersonation for both sending and receiving messages. All of the usual Windows constraints of impersonation apply. If you would have needed to set up service or account permissions to use impersonation when writing your own service, then you’ll have to do those same steps to use impersonation with the routing service. The WCF configuration for impersonation is simplified though.

Impersonation with the routing service requires either the use of ASP.NET impersonation while in ASP.NET compatibility mode or the use of Windows credentials that have been configured to allow impersonation.

The only step to use ASP.NET impersonation with the routing service is to enable ASP.NET compatibility mode on the service hosting environment. The routing service has already been marked as allowing ASP.NET compatibility mode and impersonation will automatically be enabled. Impersonation is the only supported use of ASP.NET integration with the routing service.

To use Windows credential impersonation with the routing service you need to configure both the credentials and the service. The client credentials object that you use has an allowed impersonation level that must be set to permit impersonation. Finally, on the service you need to configure the ServiceAuthorization behavior to set ImpersonateCallerForAllOperations to true. The routing service uses this flag to decide whether to create the clients for forwarding messages with impersonation enabled.