System.DirectoryServices.AccountManagement.PrincipalContext and Impersonation in a WCF service

Working with the PrincipalContext in code that lies behind a WCF service. The WCF service is impersonating, to allow a 'pass-through' type authentication.

While everything else I do with Active Directory (mostly the System.DirectoryServices.Protocols namespace) works fine in this scenario, for some reason the classes in System.DirectoryServices.AccountManagement throw a fit. Sample code that fails:

PrincipalContext context = new PrincipalContext(ContextType.Domain, domainName);
UserPrincipal user = 
    UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);

When I make the call to FindByIdentity, I get a COMException: "An operations error has occurred". Calls to th开发者_运维技巧e PrincipalContext also fail, e.g.:

string server = context.ConnectedServer;

Both OperationContext.Current.ServiceSecurityContext and Thread.CurrentPrincipal.Identity show the impersonation is working correctly. And, like I say, other AD tasks in S.DS.P work fine.

If I explicitly set credentials on the PrincipalContext, everything works. For example:

PrincipalContext context = 
    new PrincipalContext(ContextType.Domain, domainName, user, password);
UserPrincipal user = 
    UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, UserName);

Now everything works. But I won't know the username and password from the caller; I must rely on the impersonation.

Any ideas on what would cause the issue I'm seeing?

Thanks in advance! James

---

Make sure an spn is set for the app pool, delegation is set in AD, and that the app pool account has the act as part of the os privilege.