Please follow link to configure your domain controller.
Add all three boxes (A, B, C) to your new DC.
First Box/Domain Controller/Client box: DCSAURABH
Second Box: DCSAURABH1
Third Box: DCSAURABH2
Configure the Domain Controller for delegation:
DCSAURABH is my Domain Controller.
DCSAURABH1 and DCSAURABH2 are two boxes attached to this DC.
DCSAURABH1 is configured for delegating the credentials received from the IE running on client box (DCSAURABH)
Next step is to configure the Web app and two WCF service (WCF1 and WCF2).
Client End point:
Client end point Binding:
End point behaviour:
So the end point behaviour clearly indicates that the web app will impersonate the received credentials to the WCF service 1 running on same box.
WCF service 1 will be responsible for the delegation of these credentials to different box, i.e. Box C where WCF Service 2 is running.
WCF Service 1 service end point:
Client end point to call WCF service 2:
Client end point binding:
Client end point behaviour:
We are setting allowedImpersonationLevel to “Delegation”.
This will help in delegating the incoming windows token from web app (which came from IE) to the back end WCF service 2 running on third box.
Call to WCF Service 2
WCF Service 2:
Impersonation Option can also be set for the complete service via configuration file from <ServiceAuthorization /> tag inside the Service Behavior attribute.
However this will force us to make sure all method are still explicitly decorated with Token Impersonation Option as "Allowed" or "Required".
These steps will make sure you can delegate the john’s identity (SAURABH/user2) to the back end server.