My previous post on header authentication comparison between WWSAPI and WCF mentioned the impersonation level. Here is a bit more detail as people still seem to be caught by surprise due to this difference. I mentioned that WCF client could set the impersonation level, but I didn’t mention the default value. The default impersonation level in the WCF client is Identification, except for Basic authentication, which always allows Delegation since the server receives the username/password. Since WWSAPI’s client always has impersonation level Impersonation, the difference can lead to behavior difference when the service needs to impersonate the client token and do some work. In that case, the WCF client may not work with the default config and code generated by SvcUtil.exe. You’d have to change the impersonation level to Impersonation, e.g.:

client.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;