Trusted Subsystem, WCF and IIS

I’ve just about pulled my hair out on this one.  This used to be very easy with ASMX:

Basically, I have IIS running as a trusted user, “Service”.  I want WCF to run as this user for connecting to databases, etc.  I don’t care who’s calling me, I’m in an intranet environment, and this service is open to the world.  Unfortunately, all I can ever get is “user not associated with a trusted connection”, no matter what I do.  I suspect it’s due to a network hop issue, or something similar.  I can get it to work by flowing identity down, but I don’t want to do that, it’s not Trusted Subsystem.

I’ve spent about a day on two separate occasions trying to get this to work, but all examples seem to force me to set the service account on the ASP.NET side.  But I don’t want to force clients to do any kind of security, that defeats the purpose.

The quickest way to Trusted Subsystem now is to use SQL Server authentication.  With ASMX, I used ASP.NET configuration, along with IIS security configuration to set the identity, and it worked just fine.  WCF works outside the ASP.NET stack, so I don’t have that luxury.  Security in WCF is tough, kids, don’t let anyone tell you any different.

Boo.