confused how to add NTLM authentication to a webservice


  • hello,

    i am a bit confused how to add NTLM authentication to a webservice.

    this is what i've done so far:

    created a wcf project in vs 2010 and after renaming the default classes to NTLMService and INTLMService, edited the webconfig file this way

    <?xml version="1.0"?>
        <compilation debug="true" targetFramework="4.0" />
            <binding name="NewBehavior">
              <security mode="TransportCredentialOnly" >
                <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
          <service name="NTLMService.NTLMService" behaviorConfiguration="NewBehavior">
            <endpoint address="http://localhost:19861/NTLMService.svc" binding="basicHttpBinding"
              bindingConfiguration="NewBehavior" name="Basic" contract="NTLMService.INTLMService" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
            <behavior name="NewBehavior">
              <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
              <serviceMetadata httpGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="false"/>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
        <modules runAllManagedModulesForAllRequests="true"/>

    now, if i call http://localhost:19861/NTLMService.svc?wsdl from the browser,

    i can see the wsdl without providing any kind of authentication, is this normal ?

    also, after creating the client and adding the webservice reference,

    i can call the GetData method without sending any security tokens.

    the question is, is the webservice secured this way ? what i am missing here ?

    thank you in advance.

    12 martie 2012 10:39

Toate mesajele

  • Yes, it is normal for you to be able to see metadata (wsdl). The wsdl basically informs a potential client of what it needs to provide to use the service and also what types of operations the service has to offer.

    If you take a closer look at your client app.config file, security will be set to none. Also, check IIS and you will probably find that Anonymous Authentication is enabled. So yes, security is not enabled at the moment.

    Check out this article for a fix:

    Read this article for a good example and explaination of NTML. (It relates to silverlight but is still relevant)

    This means that security is not enable in both service and client or just the client ?

    In the first link the user was complaining about getting null in OperationContext.Current.ServiceSecurityContext, but i am not having that problem, with proxyCredentialType set to None or Ntlm in the app.config client app.

    12 martie 2012 14:27
  • hi rupex, i thank you for trying to help, i don't know if i explained myself right, but i am not getting exceptions or errors, and it would be good to have a few, so i could have some feedback of the app...

    this shouldn't be so complicated, but its taking too much time already.

    i am just calling the webservice method and it authenticates like this, still i don't feel its secured at all.

    13 martie 2012 10:45