I am developing a WCF service that will be called by customer in internet. The service is hosted in IIS7 and accept only http. For clients call us from https we do is have a reverse proxy that forwards the request to the application https to http. The customer give a https url to connect and does so smoothly, adding the reference to the service properly. The problem comes when trying to create a client and add in your endpoint https and execute it, as it reads:
System.ArgumentException: The provided URI scheme 'https' is invalid,
expected 'http'. Parameter name: via.
I leave part of the service's web.config:
<bindings>
<wsHttpBinding>
<binding name="ConfigEP">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix="http://serverInterno/App/"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<services>
<service behaviorConfiguration="App.AppM_NameBehavior" name="App.AppM_Name">
<endpoint address="" behaviorConfiguration="App.AppM_NameEPBehavior" binding="wsHttpBinding" bindingConfiguration="ConfigEP" name="App.AppM_NameEP" bindingNamespace="http://siteName/AppM_Name" contract="App.IAppM_Name" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="App.AppM_NameEPBehavior">
<wsdlExtensions location="https://urlsegura/App/Appm_Name.svc" singleFile="true" />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="App.AppM_NameBehavior">
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
<serviceCredentials>
<clientCertificate>
<authentication customCertificateValidatorType="App.Validador, App" certificateValidationMode="Custom" />
</clientCertificate>
<serviceCertificate findValue="XX XX XX XX XX XX XX XX XX XX" x509FindType="FindBySerialNumber" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<extensions>
<behaviorExtensions>
<add name="wsdlExtensions" type="WCFExtras.Wsdl.WsdlExtensionsConfig, WCFExtras, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
</behaviorExtensions>
</extensions>
and here the client's app.config:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<clientCertificate findValue="XX XX XX XX XX XX XX XX XX XX" x509FindType="FindBySerialNumber" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="App.AppM_NameEP" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://urlsegura/App/Appm_Name.svc" binding="wsHttpBinding" bindingConfiguration="App.AppM_NameEP" contract="App.IAppM_Name" name="App.AppM_NameEP">
<identity>
<certificate encodedValue="XXXX" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Thanks in advance.
Best regards.
I think your error is being caused because you're using message based security on your configuration. Try changing it to Transport instead (in both the client and service configuration files), so that it uses SSL for security rather than encrypting the message.
You can use TransportWithMessageCredential if you absolutely must have the message encrypted also. Hope that helps.
I don't understand the reverse proxy you describe but it seems you're trying to support access from both HTTP & HTTPS. To do this, you will need to add a second endpoint. You'd configure the service something like this:
<wsHttpBinding>
<binding name="ConfigEP">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
<binding name="ConfigEPHttps">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
and this add the new endpoint:
<service behaviorConfiguration="App.AppM_NameBehavior" name="App.AppM_Name">
<endpoint address="" behaviorConfiguration="App.AppM_NameEPBehavior"
binding="wsHttpBinding"
bindingConfiguration="ConfigEP"
name="App.AppM_NameEP"
bindingNamespace="http://siteName/AppM_Name"
contract="App.IAppM_Name" />
<endpoint address="secure" behaviorConfiguration="App.AppM_NameEPBehavior"
binding="wsHttpBinding"
bindingConfiguration="ConfigEPHttps"
name="App.AppM_NameEPHttps"
bindingNamespace="http://siteName/AppM_Name"
contract="App.IAppM_Name" />
</service>
You also need make this change to get the WSDL over HTTPS:
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
Related
I'm having a problem when moving a WCF service from Windows 2003 Server to Windows 2008 Server. This service communicates between a web site and a windows service on the same server. The service runs with the below configurations on both 2003 Server and locally on Windows 7 computers.
On the 2008 server, I'm getting the following error message
Exception Type: System.ServiceModel.EndpointNotFoundException
Message: There was no endpoint listening at net.tcp://localhost:10001/DCFDirectCert/SecurityService that could accept the message. This is often caused by an incorrect address or SOAP action.
Configuration for Web Site
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<netTcpBinding>
<binding name="DirectCertBindingConfig">
<security mode="None" />
</binding>
<binding name="DirectCert.Services.DirectCertSecurityService.BindingConfig" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard"
listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="1000000" maxConnections="10"
maxReceivedMessageSize="1000000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:10001/DirectCert/SecurityService" binding="netTcpBinding"
bindingConfiguration="DirectCert.Services.DirectCertSecurityService.BindingConfig"
contract="IDirectCertSecurityService" name="IDirectCertSecurityService" />
</client>
</system.serviceModel>
Configuration for Windows Service
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true" />
</diagnostics>
<bindings>
<netTcpBinding>
<binding name="DirectCert.Services.DirectCertSecurityService.BindingConfig">
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<services>
<service behaviorConfiguration="DirectCert.Services.DirectCertSecurityService.Behavior"
name="DirectCertSecurityService">
<endpoint address="" binding="netTcpBinding"
bindingConfiguration="DirectCert.Services.DirectCertSecurityService.BindingConfig"
contract="IDirectCertSecurityService" />
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration="" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:10001/DirectCert/SecurityService" />
</baseAddresses>
</host>
</service>
</services>
<client>
<endpoint address="net.msmq://localhost/private/DirectCert" binding="netMsmqBinding"
bindingConfiguration="DirectCert.Services.DirectCertMatchService.BindingConfig"
contract="IDirectCertMatchService" name="DirectCertMatchServiceClient" />
</client>
<behaviors>
<serviceBehaviors>
<behavior name="myBehaviorConfiguration">
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="DirectCert.Services.DirectCertSecurityService.Behavior">
<serviceMetadata />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer />
<serviceTimeouts />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
what I can see is, that the security-mode of both bindings is not the same (transport vs. none).
I'm trying to set up a WCF webservice in IIS 7 with SSL and I'm a bit lost with config files.
I want the data from the server to the client to be garbled (Is this enough with SSL?)
The client will also need to identity itself to the server through a certificate.
I have the following certificates in place:
dev.test.com - accessing the url https://dev.test.com/TestService.svc shows that there is this valid certificate in place.
TestServer - a dummy certificate that identifies the server (Do I need really need this? Or perhaps I can reuse the dev.test.com? Maybe have server.test.com?)
TestClient - a dummy certificate on the client side
And this is how my config files are set up:
Web.config (Server):
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding"
messageEncoding="Mtom">
<security mode="Message">
<transport clientCredentialType="None" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service
name="TestService"
behaviorConfiguration="TestServiceBehavior">
<endpoint
name="TestEndPoint"
address=""
binding="wsHttpBinding"
bindingConfiguration="wsHttpEndpointBinding"
bindingNamespace="http://www.example.com/"
contract="iWebService">
<!--<identity>
<dns value=""/>
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration="" name="MexHttpsBindingEndpoint" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="TestServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" />
</clientCertificate>
<serviceCertificate findValue="TestServer" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
App.config (Client):
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
messageEncoding="Mtom" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<reliableSession ordered="true"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
<binding name="TestEndPoint" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
messageEncoding="Mtom"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<reliableSession ordered="true"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://dev.test.com/TestService.svc"
behaviorConfiguration="TestServiceBehavior"
binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"
contract="IContractName" name="wsHttpBinding">
<identity>
<dns value="TestServer" />
</identity>
</endpoint>
<endpoint address="https://dev.test.com/DistributionCenterService.svc"
binding="wsHttpBinding" bindingConfiguration="TestEndPoint" contract="IContract.Name"
name="TestEndPoint" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="TestServiceBehavior">
<clientCredentials>
<clientCertificate findValue="TestClient"
storeName="My"
storeLocation="CurrentUser"
x509FindType="FindBySubjectName"/>
<serviceCertificate>
<authentication
certificateValidationMode="PeerOrChainTrust"
revocationMode="NoCheck"
trustedStoreLocation="CurrentUser"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
When I try to access the https://dev.test.com/TestService.svc, I get
Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding. Registered base address schemes are [https].
Anyway, I'm really lost with what config setting I should be using.
I believe for you to be able to use https, your security mode on the wsHttpBinding for the client needs to be either Transport or (probably in your case) TransportWithMessageCredential.
is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.
My Service web.config is as follows:
<system.serviceModel>
<bindings>
<wsHttpBinding>`enter code here`
<binding name="NewBinding0">
<security mode="Message">
<transport clientCredentialType="Basic" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
<endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior" />
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WcfTest.Service1Behavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<!-- Use our own custom validation -->
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
and Client Web.config is:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITestService"
contract="ServiceReference1.ITestService"
name="WSHttpBinding_ITestService">
<identity>
<userPrincipalName value="NYSA31\abc" />
</identity>
</endpoint>
</client>
</system.serviceModel>
But i am getting following error accessing the service.
WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.
To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.
Please, oh, please, please, please help!!! :-)
I am trying to test out WCF with SSL and seem to be missing something. I have done a ton of searching and can't seem to find what I'm missing with the config. I have a basic WCF service hosted in IIS on Windows 7 with a self-signed certificate. I also have a test client web application calling that WCF service.
I am getting the following error in the test client:
There was no endpoint listening at https://<url>/WcfAuthTest/Service1.svc that could accept the message.
I can navigate to the service in a browser and get the standard auto-generated page for a SOAP service.
Here is the config for the WCF Service:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsSecureBinding">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="wsSecureBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="wsSecureBehavior" name="Service1">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsSecureBinding" name="wsService1" contract="WcfAuthTest.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration="" name="MexHttpsBindingEndpoint" contract="IMetadataExchange" />
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
The client config is:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsTestBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://<url>/WcfAuthTest/Service1.svc"
binding="wsHttpBinding" bindingConfiguration="wsTestBinding"
contract="ServiceReference1.IService1" name="wsTestBinding" />
</client>
Hi I know its been a while since you asked this question.
I am having similar problems with WCF and SSL and just thought you might resolve your problem by setting the property in the Service Behaviours httpsGetEnabled="true"
setting this property enabled me to get to the next stage of problems :)
At the end of your config you have:
<endpoint address="https://<url>/WcfAuthTest/Service1.svc"
binding="wsHttpBinding" bindingConfiguration="wsTestBinding"
contract="ServiceReference1.IService1" name="wsTestBinding" />
<url> looks like it starts but never ends.
These scenarios work in their pieces. Its when i put it all together that it breaks.
I have a WCF service using netTCP that uses impersonation to get the callers ID (role based security will be used at this level)
on top of this is a WCF service using basicHTTP with TransportCredientialOnly which also uses impersonation
I then have a client front end that connects to the basicHttp.
the aim of the game is to return the clients username from the netTCP service at the bottom - so ultimatley i can use role based security here.
each service is on a different machine - and each service works when you remove any calls they make to other services when you run a client for them both locally and remotley. IE the problem only manifests when you jump accross more than one machine boundary.
IE the setup breaks when i connect each part together - but they work fine on their own.
I also specify
[OperationBehavior(Impersonation = ImpersonationOption.Required)] in the method and
have IIS setup to only allow windows authentication (actually i have ananymous enabled still, but disabling makes no difference)
This impersonation works fine in the scenario where i have a netTCP Service on Machine A with a client with a basicHttp service on machine B with a clinet for the basicHttp service also on machine B ... however if i move that client to any machine C i get the following error:
The exception is 'The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:10:00''
the inner message is 'An existing connection was forcibly closed by the remote host'
Am beginning to think this is more a network issue than config ... but then im grasping at straws ...
the config files are as follows (heading from the client down to the netTCP layer)
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicHttpBindingEndpoint" closeTimeout="00:02:00"
openTimeout="00:02:00" receiveTimeout="00:10:00" sendTimeout="00:02:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://panrelease01/WCFTopWindowsTest/Service1.svc"
binding="basicHttpBinding" bindingConfiguration="basicHttpBindingEndpoint"
contract="ServiceReference1.IService1" name="basicHttpBindingEndpoint"
behaviorConfiguration="ImpersonationBehaviour" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehaviour">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
the service for the client (basicHttp service and the client for the netTCP service)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTcpBindingEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
<basicHttpBinding>
<binding name="basicHttpWindows">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="net.tcp://5d2x23j.panint.com/netTCPwindows/Service1.svc"
binding="netTcpBinding"
bindingConfiguration="netTcpBindingEndpoint"
contract="ServiceReference1.IService1"
name="netTcpBindingEndpoint"
behaviorConfiguration="ImpersonationBehaviour">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehaviour">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" allowNtlm="true"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WCFTopWindowsTest.basicHttpWindowsBehaviour">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service name="WCFTopWindowsTest.Service1"
behaviorConfiguration="WCFTopWindowsTest.basicHttpWindowsBehaviour">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="basicHttpWindows"
name ="basicHttpBindingEndpoint"
contract ="WCFTopWindowsTest.IService1">
</endpoint>
</service>
</services>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
then finally the service for the netTCP layer
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<allow roles="*"/>
</authorization>
<compilation debug="true" targetFramework="4.0" />
<identity impersonate="true" />
</system.web>
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="netTCPwindows">
<security mode="Transport">
<transport clientCredentialType="Windows"></transport>
</security>
</binding>
</netTcpBinding>
</bindings>
<services>
<service behaviorConfiguration="netTCPwindows.netTCPwindowsBehaviour" name="netTCPwindows.Service1">
<endpoint address="" bindingConfiguration="netTCPwindows" binding="netTcpBinding" name="netTcpBindingEndpoint" contract="netTCPwindows.IService1">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mextcp" binding="mexTcpBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:8721/test2" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="netTCPwindows.netTCPwindowsBehaviour">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="false" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
If you need to make a more than one hop, you're going to need to enable delegation for that occur. You can get more information on that here.
That being said, if all you need to do is determine the role of a user that calls the backend service (netTcp), you don't necessarily need impersonation as the TokenImpersonationLevel of the WindowsIdentity should only need to be Information in order to determine role membership. In this case, you would only need to ensure impersonation was taking place in the middle-tier (basicHttp).