In WCF security, it exist two ways to specify how to access to a tiers resources. It called impersonation and delegation.
Impersonation permit to the service to use the client credential to access to another resource which is located on the same machine
delegation permit to the service to use the client credential to access to another resource which could be located anywhere on the network. The only one prerequesite is that the resource must be on the same AD
To summarize :
|Impersonation level||Service can perform cross-process delegation||Service can perform cross-machine delegation|
|Identification (no impersonation)||No||No|
For more information you can check that in the MSDN :