Can only users who have access (to login) to “SERV1” access the service?
Yes – that’s the point of using Windows credentials in a WCF service. Only users which have a domain account in that Active Directory domain (or a separate domain which has a bidirectional full-trust relationship with your domain) will be able to access the service.
Or all users who are able to login to the office network (suing active directory credentials) will be able to consume the service?
The WCF security boundary is the Active Directory Domain – not a particular server.
Is there a way to ensure that only CIO approved applications will be accessing the service, keeping the service as windows authenticated?
How are those “CIO-approved” applications different from others? WCF is accessed by accounts – typically user accounts. You can limit which accounts have access to your service (by e.g. requiring those accounts to be member of a given AD group or something). You cannot really “limit” based on applications (only if those applications use specific application-level accounts to access your WCF service)
Does this authentication check happen for each service operation call or only for the first call?
Depends on your service – if you use a per-call WCF service, then the check happens for each call. If you use a per-session WCF service with “security negotiation” turned on, then the check happens once at the beginning of the session and not anymore until the session ends.
Is there any way the service will be able to know the windows credentials of the user?
Yes – OperationContext.Current.ServiceSecurityContext.WindowsIdentity IS the Windows credentials (the Windows identity) used to call your service. It’s a lot more than just the user name…..