0

is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.

My Service web.config is as follows:

<system.serviceModel> <bindings> <wsHttpBinding>`enter code here` <binding name="NewBinding0"> <security mode="Message"> <transport clientCredentialType="Basic" /> <message clientCredentialType="UserName" /> </security> </binding> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService"> <endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" /> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <behaviors> <endpointBehaviors> <behavior name="NewBehavior" /> </endpointBehaviors> <serviceBehaviors> <behavior name="WcfTest.Service1Behavior"> <serviceMetadata httpGetEnabled="false" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceCredentials> <!-- Use our own custom validation --> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyValidator,WcfTest"/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel>

and Client Web.config is:

<system.serviceModel> <bindings> <wsHttpBinding> <binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ITestService" contract="ServiceReference1.ITestService" name="WSHttpBinding_ITestService"> <identity> <userPrincipalName value="NYSA31\abc" /> </identity> </endpoint> </client> </system.serviceModel>

But i am getting following error accessing the service.

enter image description here

Improve this question
4
  • The security settings between your service and your client don't match. Your service is specifying message security, with transport set to Basic ClientCredentialType and message set to UserName ClientCredentialType, and your client is using message security with transport set to Windows ClientCredentialType. Not sure if that is the problem, but you might want to look into that area. Commented Aug 10, 2011 at 7:58
  • @Tim: thanks for your reply. when i reference service by default authentication is set to windows although i am using username as authentication type in my service. I have made correction to my client web.config still same problem is occurring. Commented Aug 10, 2011 at 8:04
  • Because the mode is set to Message it doesn't matter what is configured for Transport's ClientCreadentialType. Commented Aug 10, 2011 at 8:30
  • @Ladislav Mrnka - I was wondering about that, but didn't have a chance to research the answer. Does setting the mode to Message essentially render the Transport element useless? Commented Aug 10, 2011 at 10:32

1 Answer 1

Reset to default
1

WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.

To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.