ServiceSecurityContext.PrimaryIdentity Property


Gets the primary identity associated with the current setting.

Namespace:   System.ServiceModel
Assembly:  System.ServiceModel (in System.ServiceModel.dll)

public IIdentity PrimaryIdentity { get; }

Property Value

Type: System.Security.Principal.IIdentity

An IIdentity associated with the current setting.

The primary identity is obtained from the credentials used to authenticate the current user. If the credential is an X.509 certificate, the identity is a concatenation of the subject name and the thumbprint (in that order). The subject name is separated from the thumbprint with a semicolon and a space. If the subject field of the certificate is null, the primary identity includes just a semicolon, a space, and the thumbprint.

When a duplex message exchange pattern is used with Kerberos direct authentication, this property becomes empty on the callback and the claimset is also empty. This does not happen when SspiNegotiated is used instead of Kerberos.

The Kerberos Requester Token is used only on the client to represent the service. The authorization policy that it generates contains one claim, an SPN; hence, no identity in the claim. In most cases there is no problem, because ServiceSecurityContext is not used on the client. In a duplex scenario during callback, if the callback inspects this property, it gets an anonymous identity.

For an example of using the PrimaryIdentity property to authorize a client using a certificate, see How to: Examine the Security Context.

.NET Framework
Available since 3.0
Return to top