0

I am new to adding security to WCF service. I have developed a REST based WCF service which works fine.

This service is consumed by HTTP POST (outside the domain). I need to incorporate domain (AD) authentication.

How can I incorporate AD authentication in WCF? Additionally, what should I be asking details related to AD to client? Please guide me.

Updated:

  1. Added authenticationScheme="Negotiate" to httpTransport.
  2. Hosted service in IIS & disabled Anonymous authentication. Also tried enabling Forms authentication.
  3. At wcf client, passing domain/id/pwd like: webrequest.Credentials = new NetworkCredential("user", "userpwd", "domain");

I am getting HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers.

Am I missing something?

user1480864
  • 1,455
  • 3
  • 16
  • 23

1 Answers1

0

You need to a biding configuration in your WCF web.config:

<bindings>
  <basicHttpBinding>
    <binding name="SecurityByTransport">
      <security mode="Transport">
        <transport clientCredentialType="Windows" />
       </security>
     </binding>
  </basicHttpBinding>
</bindings>

You can read more about here:

http://msdn.microsoft.com/en-us/library/ms733089(v=vs.110).aspx

For javascript ajax calls you can follow this recommendation:

Cross domain jQuery ajax call with credentials

Community
  • 1
  • 1
Dalorzo
  • 19,834
  • 7
  • 55
  • 102
  • As I mentioned, service is hosted outside the domain & would be access via HTTP. So how would client provide authentication details (user id /pwd)? Is that all (adding config to my wcf), I have to do make it work? – user1480864 May 13 '14 at 03:26
  • that is achieve with an attribute in your call http://stackoverflow.com/q/13954080/1959948 – Dalorzo May 13 '14 at 03:30
  • Need to enable SSL for AD authentication? – user1480864 May 13 '14 at 03:39
  • For WFC yes... there is a way around it but it is easier to add the SSL – Dalorzo May 13 '14 at 03:44
  • Service is hosted on some domain. Client to consume this app is developed by other vendor & will call service via http (don't know via ajax or httpwebrequest). I've tested with httpwebrequest though. How will I provide authentication details? am still skeptical on this though... – user1480864 May 13 '14 at 03:48
  • I read many articles on this and see different things & implementation. Do I need to consider "impersonation" as service read local file on server for logging? Btw, this currently works without any issues – user1480864 May 13 '14 at 05:36
  • BTW, as service has to accept xml as input hence am using custom binding. How can I incorporate . It is not supported. Any alternative? – user1480864 May 14 '14 at 03:26
  • Transport means using SSL/hhtps over port 443 nornally – Dalorzo May 14 '14 at 11:52