In previous sections, we learned how to host a WCF service with, Basic Authentication. As you can see, with Basic Authentication, the client has to capture the user's credentials (the credentials are hardcoded, from a configuration file, or prompted for user to enter) and the credentials are transported in clear text, unless HTTPS is configured.
This might be an acceptable approach if the clients are outside of your domain, that is, from the Internet or extranet. However, for intranet clients, a better approach is to use Windows Authentication, so that you don't need to capture the user's credentials, instead, you can use the user's network credential token and pass it to the WCF service. In this section, we will configure our WCF service to use this authentication mode.
As we have the IIS application and the test client for Basic Authentication ready, we will just modify them to enable Windows Authentication. We do this as follows:
web.config
file located under the HostIISSecure
folder, and change the attribute value of clientCredentialType
in the binding
node from Basic
to Windows
. Save the config file.App.config
in the HelloWorldClientSecure
project to verify that the attribute value of clientCredentialType
in the binding
node has been changed from Basic
to Windows
.Program.cs
file in the HelloWorldClientSecure
project and change the old code in the Main
method as follows:var client = new HelloWorldServiceRef.HelloWorldServiceClient(); client.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials; Console.WriteLine(client.GetMessage("Windows Authentication caller"));
This output shows the service is now hosted with Windows Authentication and the client is passing the user's default network credential to the service. The current logged in user's Windows token, instead of the user's name/password, is now transmitted over the network.
Besides setting the attribute value of clientCredentialType
to Windows
or Basic
in the binding
node of the service web configuration file, you can also set it to InheritedFromHost
, which means the WCF service will inherit the security settings of the hosting IIS application. This option will be very helpful if you would like to specify multiple authentication schemes on a single endpoint.