Why do I get a WindowsIdentity when using message security?

Question

When switching from no security to Certificate I get a WindowsIdentity in the IAuthorizationPolicy.Evaluate (evaluationContext.Properties.TryGetValue("Identities", out obj)? Is this by design :

From this :

<binding name="NetTcpBinding_IMyAppClientServiceRegular" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security mode="None">
            <transport clientCredentialType="None"/>
          </security>
        </binding>

To this :

<binding name="netTcpCertificate" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="1000" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="200" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security>
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>

Is there any way to avoid getting the WindowsIdentity in IAuthorizationPolicy.Evaluate? I do only want the WindowsIdentity to be set when using this binding :

<binding name="NetTcpBinding_IMyAppClientServiceWindows" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="infinite" sendTimeout="01:00:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
          <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
          <reliableSession ordered="true" inactivityTimeout="infinite" enabled="false"/>
          <security mode="Message">
            <message clientCredentialType="Windows"/>
          </security>

Answer 1

I noticed you have not set the mode in <security> in your netTcpCertificate config instead of what you probably want: <security mode="Message">. By not setting the mode attribute, WCF will use the default value of Transport instead of Message which is what you likely want for certificate credentials. It's possible that WCF is passing the Windows identity when the mode is set to transport but I haven't tried to verify it.

UPDATE: Based on the comments below, you should make sure that the client config file endpoint>indentity>dns>value matches the name of server certificate CN= value. This value needs to be MyAppServer based on what you entered.