WCF Service Authentication

Question

Hey all,

I am developing a Windows Store App that uses a WCF Data Service.  Everything works great until I try to secure it.  I followed the example per Microsoft and created a partial class that provides username and pw and domain.

    public partial class ListServiceClient : System.ServiceModel.ClientBase<MPS_Mobile_Estimator.ListService.IListService>, MPS_Mobile_Estimator.ListService.IListService
    {
        static partial void ConfigureEndpoint(System.ServiceModel.Description.ServiceEndpoint serviceEndpoint, System.ServiceModel.Description.ClientCredentials clientCredentials)
        {
		if (serviceEndpoint.Name ==
                     MPS_Mobile_Estimator.ListService.ListServiceClient.EndpointConfiguration.BasicHttpsBinding_IListService.ToString())
            {
                serviceEndpoint.Binding.SendTimeout = new System.TimeSpan(0, 1, 0);
                NetworkCredential myCred = new NetworkCredential("uname", "pw", "domain");
                clientCredentials.Windows.ClientCredential = myCred;
                clientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
        }
    }

The code gets called, but I get an error.

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.

Since this is a Windows Store App, you don't have a web.config to tweak. Any suggestions on how to get around this error?  Is there a more preferred method to provide security between a Windows Store App than NTLM?  It would seem that if they provide you with a way to supply a user name and password, they would have a way to tell the client to use it rather than connecting anonymously.

Any help would be greatly appreciated.

Jim

Answer 1

Basic authentication with SSL is actually more secure.  I'll ask our WCF expert to take a look at this post though.

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 2

Hi Jim,

Where is your endpoint hosted? Does the WCF service require transport level of authentication (HTTP Authorization header) or does it require Message level authentication? And secondly, does your WebService authentication and IIS authentication settings match?

Thanks,

Prashant

---

Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

Answer 3

Thank you for your response.

When I posted this, all I had done is change some settings in the project properties of the WCF Service.  I set Anonymous Authentication Enabled and Windows Authentication Disabled.  I was hoping this would be enough to secure the service.  For the Entitity Framework part of it, it was.  For the ServiceModel Services I had written, I got the error you saw above.  Here is what I put in my web.config file of the service in order to fix it.

    <protocolMapping>
      <remove scheme="http" />
      <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <bindings>
      <basicHttpsBinding>
        <binding name="BasicHttpsEndpointBinding">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpsBinding>
    </bindings>
    <services>
      <!--<service behaviorConfiguration="ServiceBehavior" name="MPSDataService.ListService" >-->
      <service name="MPSDataService.ListService" >
        <endpoint address="" binding="basicHttpsBinding"
        bindingConfiguration="BasicHttpsEndpointBinding"
        name="ListServiceEndpoint" contract="MPSDataService.IListService" >
          <identity>
            <dns value="localhost" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding"
            contract="IMetadataExchange" />
      </service>
    </services>

When I simply changed the project settings and tried to refresh the service, it could not read the metadata.  Apparently  the

  <endpoint address="mex" binding="mexHttpBinding"
            contract="IMetadataExchange" />

Allows it to let a service client read the metadata. As you can see above I told it to use Windows Authentication. If basic authentication is better, can you tell me what to change in order to implement it?  Also, can you tell me where it gets it user list from?

The other issue I have it that my SQL server connection strings in the web.config are clear text.  Integrated Security=True doesn't seem to work.  When you use Integrated Security, which user account does it use to authenticate on the SQL server?  Can you tell it to use the one that is connecting from the service client?

Thanks,

Jim

---

Jim Wilcox