<ImpersonationLevel> Element
Specifies how a recipient of a KerberosToken2 security token can use the identity associated with the security token.
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Confidentiality> Element
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<SecurityToken> Element
<Claims> Element
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element
<TokenInfo> Element
<SecurityToken> Element
<Claims> Element
<wse:ImpersonationLevel>identification|impersonation</wse:ImpersonationLevel>
Attributes and Elements
Attributes
None
Child Elements
None
Parent Elements
| Element | Description |
|---|---|
Specifies requirements that are specific to a security token type. |
Text Value
A text value is required. The text value can be identification or impersonation.
| Value | Description |
|---|---|
identification |
Recipients of a SOAP message that contains a KerberosToken2 security token can only get the identity associated with the security token. |
impersonation |
Recipients of a SOAP message that contains a KerberosToken2 security token can get the identity associated with the security token and impersonate that identity to access local resources and a constrained set of resources on remote machines (known as constrained delegation). |
Remarks
To use a KerberosToken2 security token for constrained delegation the computer that hosts the Web service must be configured to do so. For details about configuring the computer that hosts the Web service, see Differences between KerberosToken and KerberosToken2.
Example
The following code example defines the policy-5218e068-d399-4ad3-a014-9461df97209c policy assertion that requires that the <Body> element, timestamp header, and all addressing headers must be signed using a KerberosToken2 security token that is capable of impersonation.
Note
This code example is designed to demonstrate WSE features and is not intended for production use.
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="https://schemas.microsoft.com/wse/2002/12/Policy">
<defaultEndpoint>
<defaultOperation>
<request policy="#policy-5218e068-d399-4ad3-a014-9461df97209c" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssc="https://schemas.xmlsoap.org/ws/2004/04/sc"
xmlns:rp="https://schemas.xmlsoap.org/rp">
<wsp:Policy xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
wsu:Id="policy-5218e068-d399-4ad3-a014-9461df97209c">
<wssp:Integrity wsp:Usage="wsp:Required" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wssp:TokenInfo>
<wssp:SecurityToken>
<wssp:TokenType xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">https://schemas.xmlsoap.org/ws/2003/12/kerberos/Kerberosv5_AP_REQ</wssp:TokenType>
<wssp:TokenIssuer>cohowinery.com</wssp:TokenIssuer>
<wssp:Claims>
<wssp:ServiceName>host/WineLabelServer</wssp:ServiceName>
<wse:ImpersonationLevel>impersonation</wse:ImpersonationLevel>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wse:Timestamp() wse:Addressing()</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>