BasicHttpBinding and authentication not working as expected

Question

Hi all,

I have already asked this question in the Silverlight forums, but noone is replying, so I'm trying my luck here;

I'm seeing a strange behavior when making a call to a WCF service from my SL client.
The service exposes an endpoint using basicHttp with the following security configuration;

<security mode="TransportCredentialOnly">
      <transport clientCredentialType="Windows"/>
</security>

 

 

In my ServiceReferences.ClientConfig I have configured security for the client like this;

<security mode="None"/>

The strange thing is that calls to the service succeeds, although they should fail due to the configuration mismatch? How is this possible?
I have created a small WPF application with the exact same client configuration as my SL application, and in my WFP application the calls to the WCF service fails as expected...

What am I doing wrong here? (My WCF Service is hosted in a Windows Service, not IIS)

-Thanks

Answer 1

Did you try to change credentials type at the service side to 'Basic' instead of 'Windows'.

Answer 2

Hi,
I doubt that you can not use Windows Authentication with silverlight.
Please refer to the thread below:
http://silverlight.net/forums/t/25249.aspx
and also just as a reference:
http://msdn.microsoft.com/en-us/library/aa967563.aspx

I hope this will solve your problem :) Please feel free to discuss further.

---

Adil Mughal - MCP http://adilamughal.blogspot.com

Answer 3

Hi,
Thanks for the replies to both of you.
True, you can't use Windows Authentication with Silverlight, so that part is ok.

I'm still confused, though...it may be due to lack of knowledge about WCF
But how is it possible to access a service which demands Windows authentication when you try to access it from an environment which does not support Windows authentication?

Say you have created a service and you only want windows users to have access to that service...you never intended that service to be accessed by a SL application. So you simply create a SL application, and bang, you're in even if you're not a valid windows user? What am I missing here?

-Thanks

Answer 4

Windows authentication is a pretty secure, but complicated protocol. However, it is not designed to work in internet. Theoretically this is possible, but practically it doesn’t work (kerberos, firewalls etc., etc.). Shortly, it is designed to work well in an enterprise and not in internet.

On the other side SL is designed to work in internet. Following these two statements, it is reasonable that no windows authentication can/should be required for internet and/or SL. Having windows authentication for SL, it would be just nice to have feature only.

If one wants to use SL in windows based enterprise only (this seems to be your case), then why BasicAuthentication (see my very first answer in this thread) wouldn’t be enough in this scenario?

You can use SSL with Basic authentication with SL. This is probably secured enough for your case.

Hope his helps.

Damir