How to enable windows and NTLM authentication on WCF

No.of Views	:	1604
Bookmarked	:	0 times
Downloads	:
Votes	:	0

By Dhananjay Kumar On 16 Feb 2010 00:02:56

Tag : WCF , Security

Skill Level: Intermediate

This article will explain various combination's of IIS and WCF Ntlm/Windows authentication settings.

Images in this article missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at info@codegain.com

Objective

This document will explain various combinations of IIS and WCF Ntlm/Windows authentication settings

What is difference between NTLM and WINDOWS authentication in WCF?

Windows authentication = authentication in NTLM + authentication in Active Directory
NTLM authentication = authentication in only NTLM

IIS configuration

For all scenario IIS is configured for Windows authentication. What I mean is Windows Authentication is enabled and all other authentication is disabled.
Navigate to below path to open ApplicationHost.Config file of IIS.

C:\Windows\System32\inetsrv\config\applicationHost.config

Binding used in WCF service

For all scenario basicHttpBinding being used for WCF service.

Scenario #1
Default setting for IIS Applicationhost.Config is

<windowsAuthentication enabled="false">
                    <providers>
                        <add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </windowsAuthentication>

If IIS APP.Config file is having default setting, then we can have any authentication for WCF service corresponding IIS configured; WCF service will run as expected without any error.

Note: SharePoint is running as expected

Browsers Behavior with default settings

1. IE 7.0 is not asking for authentication
2. Fire Fox 3.5.6 is asking user to authenticate

3. Safari 4.0.4 is asking user to authenticate

Scenario #2
If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for Kerberos then we have to modify service with Windows authentication.

<windowsAuthentication enabled="true">
                    <providers>
                        <add value="Negotiate" />
                        <!--<add value="NTLM" />-->
                    </providers>
                </windowsAuthentication>

WCF configuration setting for Windows authentication should be

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>

Browsers Behavior with default settings

1. IE 7.0 is not asking for authentication
2. Fire Fox 3.5.6 is asking user to authenticate

3. Safari 4.0.4 is asking user to authenticate

Scenario #3
If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for NTLM

<windowsAuthentication enabled="true">
                    <providers>
                        <!--<add value="Negotiate" />-->
                    </providers>
 </windowsAuthentication>

And we go with Windows authentication for the service, we will get below error

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>

So to remove above error, WCF configuration setting for should be modified for the NTLM authentication.

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Ntlm"/>
          </security>
        </binding>
      </basicHttpBinding>

Note: SharePoint is running as expected

Browsers Behavior with default settings
4. IE 7.0 is not asking for authentication
5. Fire Fox 3.5.6 is asking user to authenticate

6. Safari 4.0.4 is asking user to authenticate

So,
1. If we have ApplicationHost.Config of IIS configured as default, we can have either of Ntlm or Windows authentications for WCF service.
2. If we have ApplicationHost.Config of IIS configured as Ntlm, we can have only Ntlm authentication for WCF service.
3. If we have ApplicationHost.Config of IIS configured as Windows, we can have only Windows authentication for WCF service.

About Author

Dhananjay Kumar

Occupation	-	Software Engineer
Company	-	Infosys Technolgies,Pune
Member Type	-	Gold
Location	-	India
Joined date	-	20 Jul 2009
Home Page	-	http://dhananjaykumar.net/
Blog Page	-	http://dhananjaykumar.net/

Dhananjay Kumar is Microsoft MVP on connected system. He blogs at http://dhananjaykumar.net/ . You can follow him http://twitter.com/debugmode_/ and reach him at dhananjay.25july@gmail.com


Other popularSectionarticles
One Way Operation in WCF This article will discuss about One Way Operations in WCF. I am also going to explain One Way Operation with Session full service pros and cons. Published Date : 16/Feb/2010 Introduction to Data Transfer in WCF I have seen on web many people talking about, how to deal with DTO classes and business class in WCF. And those entire topics persuaded me to write this article. Published Date : 16/Feb/2010 WPF/Silverlight Layouts WPF/Silverlight Layouts Published Date : 16/Feb/2010 21 Important FAQ questions for WPF and SilverLight 21 Important FAQ questions for WPF and SilverLight Published Date : 16/Feb/2010 How to format date,currency and phoneno in ListView in WPF How to format date,currency and phoneno in ListView in WPF Published Date : 15/Feb/2010

Comments

There is no comments for this articles.

Technologies

Resources

Community

The CodeGain