In previous sections, we learned how to host a WCF service with, Basic Authentication. As you can see, with Basic Authentication, the client has to capture the user's credentials (the credentials are hardcoded, from a configuration file, or prompted for user to enter) and the credentials are transported in clear text, unless HTTPS is configured.
This might be an acceptable approach if the clients are outside of your domain, that is, from the Internet or extranet. However, for intranet clients, a better approach is to use Windows Authentication, so that you don't need to capture the user's credentials, instead, you can use the user's network credential token and pass it to the WCF service. In this section, we will configure our WCF service to use this authentication mode.
As we have the IIS application and the test client for Basic Authentication ready, we will just modify them to enable Windows Authentication. We do this as follows:
- Go to Control Panel | Programs and Features | Turn Windows features on or off and check Windows Authentication under Internet Information Services | World Wide Web Services | Security. See the previous section in this chapter (Enabling the Basic Authentication feature) for a screenshot.
- Go to IIS manager | HelloWorldServiceSecure | Authentication, disable Basic Authentication, and enable Windows Authentication. If Windows Authentication is not in the list, close IIS manager and then re-open it.
- Start Visual Studio, open the
web.configfile located under theHostIISSecurefolder, and change the attribute value ofclientCredentialTypein thebindingnode fromBasictoWindows. Save the config file. - Expand the Service References folder in the HelloWorldClientSecure project, right-click on the HelloWorldServiceRef item, and select Update Service Reference from the context menu. The service reference will be updated without asking for additional credentials; this is because we are now using Windows Authentication, thus your current login token is passed to the service.
- Open the client's config file
App.configin theHelloWorldClientSecureproject to verify that the attribute value ofclientCredentialTypein thebindingnode has been changed fromBasictoWindows. - Open the
Program.csfile in theHelloWorldClientSecureproject and change the old code in theMainmethod as follows:var client = new HelloWorldServiceRef.HelloWorldServiceClient(); client.ChannelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials; Console.WriteLine(client.GetMessage("Windows Authentication caller")); - Run the program again and you should get an output similar to the following screenshot:
This output shows the service is now hosted with Windows Authentication and the client is passing the user's default network credential to the service. The current logged in user's Windows token, instead of the user's name/password, is now transmitted over the network.
Note
Besides setting the attribute value of clientCredentialType to Windows or Basic in the binding node of the service web configuration file, you can also set it to InheritedFromHost, which means the WCF service will inherit the security settings of the hosting IIS application. This option will be very helpful if you would like to specify multiple authentication schemes on a single endpoint.