One of the requirements for the sophisticated router facade I built at work was to support Kerberos authentication by using impersonation and delegating the credentials. (Obviously, this will work if all delegation related settings are set up correctly in the domain and so on)
I encountered a specific error while trying to impersonate the caller when the transport was HTTP.
After excessive debugging, I found that WCF carries the incoming authorization HTTP request properties in the message properties collection. If you impersonate the caller and don't clear this property, it will not affect the credentials being passed to the backend service. This is why it happens only when using the HTTP protocol.
Here is the code that made it all work:
if (context.Session.Router.ShouldImpersonate)
{
if (context.Session.TargetEndpoint.Transport == RouterTransport.Http
&& message.Properties != null && message.Properties.Count > 0
&& message.Properties.ContainsKey(HttpRequestMessageProperty.Name))
{
HttpRequestMessageProperty pp = message.Properties[HttpRequestMessageProperty.Name] as HttpRequestMessageProperty;
if (pp != null)
{
pp.Headers.Remove("Authorization");
}
}
return ServiceSecurityContext.Current.WindowsIdentity.Impersonate();
}