none
Passing Client Credentials to WCF Service RRS feed

  • Question

  • Hey Guys,

     

    The setting of client credentials has obviously changed in the WCF world. Does anyone know how I can replicate the old ASMX behaviour of setting the DefaultCredentials in a WSHTTP WCF service?

     

    I.E. Credentials = System.Net.CredentialCache.DefaultCredentials;

     

     

    I really don't want to do this;

     

    proxy.ClientCredentials.Windows.ClientCredential.UserName = "MyUser";
    proxy.ClientCredentials.Windows.ClientCredential.Domain = "MyDomain";
    proxy.ClientCredentials.Windows.ClientCredential.Password = "MyPassword";

     

    Thanks for any help.
    Thursday, April 24, 2008 12:45 AM

Answers

  • If you are trying to use Windows authentication (not WS-Security username+password) and need to pass identity credentials to your WCF service (IIS integrated/basic authN style), then configure your endpoint to use transport credentials of type "Windows". To do this in code for basicHttpBinding:

     

    Code Snippet

    BasicHttpBinding basicHttpBinding = new BasicHttpBinding();

    basicHttpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

    basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

    EndpointAddress endpoint = new EndpointAddress("http://kjellsj.blogspot.com/myWindowsAuthN");

    List.ListsSoapClient client = new ConsoleApplication1.List.ListsSoapClient(basicHttpBinding, endpoint);

    client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

    client.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

     

    Saturday, April 26, 2008 12:10 PM

All replies

    • Proposed as answer by Igor_Podsekin Thursday, May 5, 2011 7:12 PM
    Thursday, April 24, 2008 1:35 PM
  • If you are trying to use Windows authentication (not WS-Security username+password) and need to pass identity credentials to your WCF service (IIS integrated/basic authN style), then configure your endpoint to use transport credentials of type "Windows". To do this in code for basicHttpBinding:

     

    Code Snippet

    BasicHttpBinding basicHttpBinding = new BasicHttpBinding();

    basicHttpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

    basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

    EndpointAddress endpoint = new EndpointAddress("http://kjellsj.blogspot.com/myWindowsAuthN");

    List.ListsSoapClient client = new ConsoleApplication1.List.ListsSoapClient(basicHttpBinding, endpoint);

    client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

    client.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

     

    Saturday, April 26, 2008 12:10 PM
  • Thanks very much for your help.

     

    Monday, June 2, 2008 5:27 AM
  • That might work with NTLM, but it won't with Kerberos which will deny the credentials (passing a home-made NetworkCredential with usr/pwd/domain will work though). With AllowNtlm=false I get this error:

    "The requirement for mutual authentication was not met by the remote server."

    Try this one out:


                BasicHttpBinding basicHttpBinding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
                basicHttpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
                reportService = new ReportingService2005SoapClient(basicHttpBinding, new EndpointAddress(reportServerUrl));
               
                reportService.ClientCredentials.Windows.AllowNtlm = false;
                reportService.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
                reportService.ChannelFactory.Credentials.Windows.ClientCredential =
                    CredentialCache.DefaultNetworkCredentials;
    Tuesday, July 8, 2008 2:05 PM
  • @Mads Nissen This is the code block I have been searching for for a week now.... :) :)
    Friday, October 2, 2009 4:02 AM
  • Thank you Kjellsj,

    From three days I am struggling to provide windows credentials to my server thorough client but failed. Finally after reading this Post I made it. Thank you so much. 

    Thank you.


    MANIKANTA

    Friday, June 28, 2013 10:47 AM
  • Hi,

       I am working on certificate security. I created server and hosted in IIS. When I try to access the services through client I am getting following exception :

    "Identity check
    failed for outgoing message. The expected DNS identity of the remote endpoint
    was 'minint-7mde6d9.fareast.corp.microsoft.com' but the remote endpoint
    provided DNS claim 'tempCertServer'. If this is a legitimate remote endpoint,
    you can fix the problem by explicitly specifying DNS identity 'tempCertServer'
    as the Identity property of EndpointAddress when creating channel proxy.
    "}

    My client configuration is as follows :

    var bindwsHttp = new WSHttpBinding();

    bindwsHttp.Security.Mode = SecurityMode.Message;

                        bindwsHttp.Security.Message.NegotiateServiceCredential = false;

                        bindwsHttp.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;

                 dynamic       obj = Activator.CreateInstance(service, bindwsHttp, endpointaddress);

     obj.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "e520069fafe87b2630137858af823ee44f729762");

    // server certificate information.

                       obj.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;

                       obj.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine,StoreName.My,X509FindType.FindByThumbprint, "53b5be439a5b62421c5607e279ec78517b16cd8c");   // client certificate information.

    I am unable to figure out where I did the mistake.  Please help me in tracing out my error.

    Thank you.


    MANIKANTA

    Monday, July 1, 2013 5:05 PM
  • Sent the DNS name, This will work. Certificate the CN name and service host name should be same. otherwise you will get the above error

    Specify as below the inside the endpoint configuration. It will work

    <identity>
                <dns value="<DNS name>"/>
            </identity>

    Saturday, August 24, 2013 11:10 AM
  • Thanks!

    im use ... 

    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
    binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.Windows;


    Thanks very much for your help.


    Tuesday, May 15, 2018 8:30 PM