Passing NetworkCredentials Object To WCF Service

Question

Edit- I reworded this question to (hopefully) better focus it.

The components that need to interact are: ASP.NET website <--> WCF service <--> 3rd party web service

The 3rd party web service requires Windows authentication via specifying a network credential during contstruction of the proxy. For example:

ICredentials myCredentials = new NetworkCredential("myUsername", "myPassword", "myADdomain");
VendorWebService webService = new VendorWebService {Credentials = myCredentials};

To my knowledge, this is the only way our WCF service can impersonate a user to the 3rd party web service. Windows authentication (via network credential) is the only supported impersonation means- no ability to set up some kind of trust between the 3rd party web service and the WCF service.

The website runs under a service account, not individual users' accounts. When our users log in to our website, we validate them with ActiveDirectory, but we just use AD to say "yep, that's a valid name and password combination".

I need a way to take what I know on the website (username, password) and turn that into a network credential on the WCF service. All I have read says that passing the username/password or even a network credential object (if even possible) is a big security risk and a really bad practice.

What options / techniques are available to make the website user's Windows identity available to the WCF service when the website does not run under the user's account?

Thanks for any insight.

P.S. I did find this post: How do you pass user credentials from one process to another for Impersonation in .NET 1.1? after I posted my question and I am consuming its contents.

Answer 1

I'm posting an answer to my own question to confirm to future readers what the lack of other answers already implies- don't do this.

I think the core of my issue is that I'm trying to have an anonymous process (website session run under system account) identify itself to the recipient (WCF service) in a way not supported by Microsoft / Active Directory (nor most sane security strategists). I was trying to pass an identity within the content of the communication instead of as part of the communication protocol. In my crash course on network and system security, this would be a very dangerous strategy.

In short, one end requires authentication to Active Directory (3rd party software) while the other end requires anonymity (web site session).

Going forward, we have two possible solutions- build our own security around the communications so that we can pass Active Directory name / passwords as safe as possible, or convince the 3rd party vendor to relax their authentication requirements (i.e. ticketing agent).