最近ウィンドウズのクライアントとサービスのアクセス検証に関する学んでいます。偽装と言うのはサービスがクライアントのアカウントを使用してサーバかドメーンのリソースを取得します。
There are two types of impersonation: transport and SOAP. My impression is that in transport impersonation the credentials of the client are received via some sort of handshake distinct from the message, while in SOAP they are received in the message sent to make the request to the service. In either case, the SetImpersonatePrivilege needs to be set to true for the service's user ID.
Transport impersonation seems to depend on the binding and credentials presented by the client, although I have yet to confirm this. All I can find on MSDN is that the Named Pipe binding supports no impersonation and the HTTP bindings support impersonation differently depending on the authentication scheme (anonymous, basic, digest, ntlm, kerberos), but I am not sure of the precise way that this scheme is set.
SOAP based impersonation seems to be based again on the binding and type of credentials presented (I assume that, if both transport and SOAP level impersonation were possible, the more restrictive of the two settings would be chosen). SOAP impersonation can take either of two forms:
1. cached token - the service receives credentials (certificate, username, etc), contacts a Kerberos or SSPI (Security Support Provider Interface) server, and sets the Windows Identity of the security context.
2. service for user- the service retrieves the credentials from the method and maps them to a Windows identity using Kerberos extensions.
The above explanations are my impressions of the discrepancies between the two forms of setting the Windows ID, as I found no other explanation.
Regardless of the type of impersonation, the service-side implementation can be done declaratively as:
[OperationBehavior(Impersonation=ImpersonationOption.Allowed)]
where Allowed can be swapped with Required.
I assume that such impersonation information would then be provided to clients via WSDL metadata.
Further control of impersonation can be obtained on the client side (I am not sure what the default is if this is not used, but I expect that the maximum allowed impersonation on the service is used):
ChannelFactorycf = new ChannelFactory("style endpoint");
cf.Credentials.WindowsAllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegate;

The level above can be: None, Anonymous, Identify, Impersonate, Delegate,it seems.
Delegate means that the service can use the client's credentials to connect to other computers on the network.