I have a client application in one domain (Domain1), which needs to access the WCF service on the application server in another domain (Domain2) (no trust). Users must enter their Domain2 credentials into the client application. This WCF service must connect to a database on another server in Domain2.
I am passing credentials using ChannelFactory.Credentials.Windows.ClientCredential. I have delegation for user and application server (also db server, but I don't think it is necessary). I have a server and client configured for delegation in their application configurations. However, it seems that when connecting, it uses only impersonation (not delegation) when it gets to the application server, and therefore I get an anonymous access error from db.
I suspected that this could be due to the fact that you cannot use Kerberos delegation by domain. So I tried to run the client application in Domain2 and got the same error. But when I take the credential settings (with ChannelFactory.Credentials.Windows.ClientCredential) and run the client in Domain2 (so that it will use the registered user credentials), then it works.
It seems to me that this is probably because it does not pass the kerberos token for the WCF service, but the username and password. But, of course, should it be able to pass the username and password to the web service and connect, and then authenticate in this domain?
I looked around, but did not find anyone who had this cross-delegation problem using ClientCredentials.
Hope someone can help me.