The Kerberos looks great, I tried it before, but then it failed ( becus i didnt get the domain ext right), this time it worked after the 5th possible domain ext combination.
It works perfect on my development machine ( windows 7 ), and since development is one of the target purposes of this option thats great.
it doesnt work on my other machine ( xp ), but thats not an issue, since XP isnt a target OS.
After getting the identity is still impersonate it
WindowsIdentity wi = new WindowsIdentity(firstname.lastname@example.org);
impContext = wi.Impersonate();
What makes it fail when i try to run it on our citrix ( target client machine ) , the impersonation works, but the next call to the WCF service gives an exception and timeout :
On the service side, there is BL for auditing ( would be nice that this code also knows about the impersonation),
and there will be Business Rules that will depend on de impersonated user, so it would be nice if it worked here as well, for testing / debugging puposes
System.IdentityModel.Tokens.SecurityTokenValidationException: The service does not allow you to log on anonymously.
at System.ServiceModel.Security.SecurityUtils.ValidateAnonymityConstraint(WindowsIdentity identity, Boolean allowUnauthenticatedCallers)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeAcceptor.CreateClientSecurity(NegotiateStream negotiateStream, Boolean extractGroupsForWindowsAccounts)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeAcceptor.OnAcceptUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
at System.ServiceModel.Channels.StreamSecurityUpgradeAcceptorBase.AcceptUpgrade(Stream stream)
at System.ServiceModel.Channels.InitialServerConnectionReader.UpgradeConnection(IConnection connection, StreamUpgradeAcceptor upgradeAcceptor, IDefaultCommunicationTimeouts defaultTimeouts)
at System.ServiceModel.Channels.ServerSessionPreambleConnectionReader.ServerFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)