To host a service using integrated Windows authentication I use this configuration:
<transport clientCredentialType=“Windows“ />
Since the client is using his Windows identity to authenticate – the code is rather simple (using the same configuration as the service):
var factory = new ChannelFactory<IClaimsService>(“*”);
var proxy = factory.CreateChannel();
var id = proxy.GetIdentity();
When you run that, you will see a WindowsPrincipal/WindowsIdentity on Thread.CurrentPrincipal that contains the username and the effective Windows groups the user is member of. The issuer of all these claims will be AD Authority.
Enabling “WIF” Mode
So far this is standard WCF – just with the additional twist that you get a ClaimsPrincipal-derived principal.
If you rather want to use the security token handler, claims transformation/authorization pipeline from WIF – you add this service behavior:
<serviceCredentials useIdentityConfiguration=“true“ />
Now the Windows security token handler will do the conversion of the Windows token to claims, this means you will get in addition the authentication method and authentication instant claims – this time with an issuer of LOCAL AUTHORITY.
Also, when you have a ClaimsAuthenticationManager registered in the <system.identityModel /> section, it will run, and you can transform/validate the claim set before it arrives in your service code.
So this is pretty simple. You always get claims, and when you want to use the claims transformation and authorization pipeline, you add the above service behavior.