Friday, October 10, 2008

WCF BasicHttpBinding with Windows Authentication & a 2.0 Client

Windows Authentication is a great way to provide authentication security in your WCF services. With the WSHttpEndpoing and a .NET 3.0+ client Windows Authentication works right out of the box with WCF, everything is just peachy. However, if you want to use the BasicHttpBinding for .NET 2.0 client backward compatibility then it is going to require a bit of configuration for both the clients & server.

I covered the BasicHttpBinding in detail in this post, I would recommend you check that out before you dive into specifically using Windows Authentication with the BasicHttpBinding.

Service Configuration

There are two areas that you need to focus on to enable Windows Authentication in a WCF service, the Web.config file & the service implementation.

Web.config Settings

All of the configuration for the Windows Authentication WCF BasicHttpBinding service takes place in the Web.config file. Here is exactly what you need:

Enable Windows Authentication & the Role Provider

<authentication mode="Windows" />

<!-- Configure the Role Provider, Currently configured for Windows Tokens -->

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

Create The EndPoint





    bindingConfiguration="WindowsAuthenticationBasicHttpBinding" />

Configure the BasicHttpBinding Binding



        <binding name="WindowsAuthenticationBasicHttpBinding">

            <security mode="TransportCredentialOnly">

                <transport clientCredentialType="Windows"/>





Service Implementation

There are a couple of different ways you can do authentication for your WCF operations. I would highly recommend to base all of your authentication security on group or role membership rather than on single user access. Coding your operation authentication security in a role based manner will make administration of users allowed to access your operations much easier to manage in the future.

Method 1: Operation Authentication Decoration

Edit your service implementation class (Service.cs or similar) to include authentication decorations for your web operations.

// Declarative Role Based Security

[PrincipalPermission(SecurityAction.Demand, Role = OperationRoles.MyRoleName)]

Method 2: Explicit Code Level Authentication

Put the following code within your operation method to do explicit authentication in the actual method code.

// Programmatic Role Based Security

if (!System.Threading.Thread.CurrentPrincipal.IsInRole(OperationRoles.MyRoleName))

    throw new FaultException("Unauthorized Exception");

Full operation example code:

// Declarative Role Based Security

[PrincipalPermission(SecurityAction.Demand, Role = OperationRoles.MyRoleName)]

public string GetData(int value)


    // Programmatic Role Based Security

    if (!System.Threading.Thread.CurrentPrincipal.IsInRole(OperationRoles.MyRoleName))

        throw new FaultException("Unauthorized Exception");


    // The user is authorized, so return back the data requested

    return string.Format("You entered: {0}", value);


Client Configuration

The .NET 2.0 client needs to explicitly define the network credentials that are going to be sent across the wire. By default .NET 2.0 web references to web services don't pass credentials over the wire, which is why the explicit credential code is necessary. Here is how you need to configure your .NET 2.0 client to ensure your crendentials are passed across the wire and therefore allow you to be verified as a user in a valid role.

// Set the credentials to send across the wire to the WCF web service

ServiceRef.Service ws = new WCFMultipleEndpointWinAuth2_0ClientWebApp.ServiceRef.Service();


// Use the default credentials, this can be set more specifically as needed

ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

Sample Code

Here is a sample solution with service & client projects using the WCF BasicHttpBinding & Windows Authentication.

I have included the WCF Service with the authentication methods as well as a .NET 2.0 client configured to connect to the web service and pass appropriate credentials and a .NET 3.5 client configured to connect to the same web service for reference.

NOTE: In order to run the service, you will need to configure the service in IIS as a virtual directory at the following URI: http://localhost/WCFBasicEndpointWinAuth/Service.svc so Windows Authentication can be used. If you need help configuring IIS7 for ASP.NET/WCF development purposes refer to this post.


1 comment:

Anonymous said...

Please help. I followed your web configuration settings and tried publishing the wcf service to my local IIS. I have enabled anonymous and windows authentication for it. When I enable anonymous, I get NT AUTHORITY\NETWORK SERVICE as my identity. How do I get my real identity. When I disable anonymous access, I get an error when trying to run the application. Thank you