Scenario: An existing WCF Service X runs on a machine in Domain_A. The service relies on impersonation and so must have a windows identity. An ASP.NET website runs on a machine that is not part of a domain (it's a DMZ). It needs to call Service X, preferably (though not necessarily) using the net.tcp binding.
From what I understand from similar questions on SO is that it's not possible to use Windows authentication across domains in WCF. If I use a different mechanism (i.e. certificate), will this mean there is still no way of presenting a credential to Service X that it can use for impersonation? Or can the certificate somehow map to an account on Domain_A?
The only other solution I can see is to create an additional service Y on Domain_A that the website can connect to (without needing impersonation), and then route the requests on to service X using Y's identity. But well, that just feels really cludgey.
Does anyone have a smarter solution to this?
So due to difficulties in configuring an SSL binding with a certificate mapped to an account alongside a netTcpBinding using Windows authentication, I bit the bullet and just created an intermediate 'Service Y'. Not the most elegant solution, but it works..