WCF Security Issue

Discussion in 'ASP .Net Security' started by Rafia Tapia, May 9, 2009.

  1. Rafia Tapia

    Rafia Tapia Guest

    I have written a WCF service that is hosted in a console application. The
    client is a asp.net application. I am exposing two endpoint, one is using
    wshttpbinding and other is using nettcpbinding. Both are listening on
    different ports and have the defualt bindings. So my understanding is that
    with wshttpbinding, I will get message security and with tcp I would get
    transport securtiy. My code works fine when both the client and server are
    run on the same machine but when the client is running on a remote machine
    it gives me the following error

    "The caller was not authenticated by the service. "

    Below is the app.config of the host running the service

    <binding name="BasicHttpBinding">
    <security mode="Message">
    <transport clientCredentialType="Basic" />
    <service behaviorConfiguration="MyService1Behavior"
    <endpoint address="ServiceViaWindowAuthHttp" binding="wsHttpBinding"
    name="HttpWindowAuthSPObjRetrieval" contract="IObjRetrievalService"
    <endpoint address="ServiceViaWindowAuthTcp" binding="netTcpBinding"
    name="TCPWindowAuthSPObjRetrieval" contract="IObjRetrievalService" />
    <endpoint address="ServiceViaBasicAuthHttp" binding="wsHttpBinding"
    bindingConfiguration="BasicHttpBinding" name="HttpBasicAuthSPObjRetrieval"
    contract="IObjRetrievalService" />
    <add baseAddress="http://my-server:11021" />
    <add baseAddress="net.tcp://my-server:11052" />
    <behavior name="MyService1Behavior">
    <serviceMetadata httpGetEnabled="True"/>
    <serviceDebug includeExceptionDetailInFaults="true" />

    Below is the client code

    WSHttpBinding bindingElement = new WSHttpBinding(SecurityMode.Message);
    proxy = new ObjRetrievalServiceClient(bindingElement, new

    What I want is that if on the login screen the user indicate that his
    current login credentials should be use then he does not need to supply
    username and password and in that scenario the first endpoint( on the server
    config) will be used but if the user indicate userid/password on the login
    form then the client app should communicate with the server by using the
    third endpoint(server config). Since this application will be running in our
    intranet, it makes sense to do a single sign on and the identity associated
    with window login should be use for service authentication.
    Can please help me and point me in some direction of what I am doing wrong.
    Rafia Tapia, May 9, 2009
    1. Advertisements

  2. Rafia Tapia

    Steven Cheng Guest

    Hi Rafia,

    From your description, I understand that you're encountering some problem
    with WCF application that will authenticate the user via windows
    authentication, correct?

    Based on the service configuration and problem scenario you described. Here
    are something I'd like to confirm with you:

    ** Is your WCF service (in the intranet environment) designed to use domain
    account for remote client-server authentication?

    ** Are both of netTcp and wsHttpBinding required to be used in your service
    or they are involved just because you want to utilize both message layer
    and transport layer security?

    As far as I know, both wsHttpbinding and netTcpBinding support message
    layer and transport layer security(you can and you're recommended to
    explicitly configure them to use a definite security mode). Therefore, for
    your scenaro here, I think you can consider the following service design
    and configuration:

    ** just use wsHttpBinding or netTcpBinding(only one of them) and configure
    the binding to use "Message" security with "Windows" client credential

    Then, for your WCF client, you can use the current logon user's credential
    or explicitly generate a network credential via username&password(depend on
    the user selection).

    for example, here is a test service I've used on my side(the app.config

    ===========service app.config==========
    <behavior name="ServiceApp.HelloWorldServiceBehavior">
    <serviceMetadata httpGetEnabled="true" />
    <serviceDebug includeExceptionDetailInFaults="true" />
    <endpoint address="Default" binding="wsHttpBinding"
    <dns value="localhost" />

    baseAddress="http://localhost:8731/HelloWorldService/" />

    <binding name="messageLayerWSBinding" >
    <security mode="Message" >
    <message clientCredentialType="Windows"/>

    and the following client code invoke the service and supply the client
    windows crediential diferently according to the user selection

    #explicitly generate a NetworkCredential depend on whether current
    credential will be used or not.
    =======client -side code for invoking=========
    private void btnInvoke_Click(object sender, EventArgs e)
    HelloWorldSVC.HelloWorldServiceClient client = new

    if (chkUseCurrent.Checked)
    client.ClientCredentials.Windows.ClientCredential =
    client.ClientCredentials.Windows.ClientCredential = new
    NetworkCredential(txtUsername.Text, txtPassword.Text);

    string ret = client.HelloWorld();
    catch (Exception ex)


    And here is a MSDN reference sample on how to use message layer with
    windows credentials.

    #Message Security with a Windows Client

    If necessary, I can send you the entire test solution package. If you have
    any specifc questions, please feel free to post here.


    Steven Cheng

    Microsoft MSDN Online Support Lead

    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:

    Get notification to my posts through email? Please refer to

    Note: MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 2 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions. Issues of this
    nature are best handled working with a dedicated Microsoft Support Engineer
    by contacting Microsoft Customer Support Services (CSS) at
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Steven Cheng, May 11, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.