0

is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.

My Service web.config is as follows:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>`enter code here`
            <binding name="NewBinding0">
                <security mode="Message">
                    <transport clientCredentialType="Basic" />
                    <message clientCredentialType="UserName" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
            <endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        </service>
    </services>
    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior" />
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="WcfTest.Service1Behavior">
                <serviceMetadata httpGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="false" />
                <serviceCredentials>   
                    <!-- Use our own custom validation -->
                    <userNameAuthentication userNamePasswordValidationMode="Custom"
                     customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

and Client Web.config is:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
                     openTimeout="00:01:00" receiveTimeout="00:10:00" 
                     sendTimeout="00:01:00" bypassProxyOnLocal="false" 
                     transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                     maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                     messageEncoding="Text" textEncoding="utf-8" 
                     useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                              maxArrayLength="16384" maxBytesPerRead="4096" 
                              maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00"
                                 enabled="false" />
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                               realm="" />
                    <message clientCredentialType="UserName" 
                             negotiateServiceCredential="true"
                             algorithmSuite="Default" 
                             establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
                  bindingConfiguration="WSHttpBinding_ITestService" 
                  contract="ServiceReference1.ITestService"
                  name="WSHttpBinding_ITestService">
            <identity>
                <userPrincipalName value="NYSA31\abc" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

But i am getting following error accessing the service.

enter image description here

Community
  • 1
  • 1
Mohan
  • 907
  • 5
  • 22
  • 45
  • The security settings between your service and your client don't match. Your service is specifying message security, with transport set to Basic ClientCredentialType and message set to UserName ClientCredentialType, and your client is using message security with transport set to Windows ClientCredentialType. Not sure if that is the problem, but you might want to look into that area. – Tim Aug 10 '11 at 07:58
  • @Tim: thanks for your reply. when i reference service by default authentication is set to windows although i am using username as authentication type in my service. I have made correction to my client web.config still same problem is occurring. – Mohan Aug 10 '11 at 08:04
  • Because the mode is set to `Message` it doesn't matter what is configured for `Transport`'s `ClientCreadentialType`. – Ladislav Mrnka Aug 10 '11 at 08:30
  • @Ladislav Mrnka - I was wondering about that, but didn't have a chance to research the answer. Does setting the mode to `Message` essentially render the `Transport` element useless? – Tim Aug 10 '11 at 10:32

1 Answers1

1

WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.

To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.

Community
  • 1
  • 1
Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670