WWSAPI to WCF Interop 7: HTTP header authentication (part 1) - comparison

Just like WCF, WWSAPI supports Basic, Digest, NTLM and Negotiate HTTP header authentication (If you are not familiar with HTTP header authentication, you can read more details about it at Nicholas Allen’s HTTP authentication post). The two implementations are very similar, but there are also many differences. Here is a list of what I have summarized so far.

1. While both WWSAPI and WCF provide client side header authentication on all supported platforms, the WWSAPI server side header authentication is only supported on Vista and above. This is because WWSAPI uses authentication support from HTTP API 2.0, which is not available before Vista. WCF server side header authentication is provided on all supported platforms because it uses HttpListener’s authentication support.

2. Multiple schemes can be used on a single WWSAPI endpoint, whereas a WCF endpoint only allows for a single authentication scheme.

3. WWSAPI client side supports Passport authentication while WCF does not.

4. While both WWSAPI and WCF support server authentication as well as proxy authentication, only WWSAPI supports different client credentials when both proxy authentication and server authentication are enabled with the same authentication scheme.

5. WWSAPI client side can work in a mode that would fail if the server does not do header authentication, whereas the authentication scheme on a WCF client is what the client supports, not a requirement on the server.

6. WWSAPI provides support for opaque credential (available in Windows 7 only). With this support, credential for different SSP like LiveID SSP can be used as client credential. Without opaque credential support, only Windows based credential can be used for HTTP header authentication.

7. Impersonation level can be set on WCF client for header authentication, whereas WWSAPI client doesn’t support it due to limitation at the client HTTP stack. A WWSAPI header authentication client token always has the impersonation level SecurityImpersonation on the server side, which means that the server cannot delegate the client’s credential even if the server is trusted to do so.

8. WCF client can set SPN for Negotiate authentication, whereas WWSAPI client doesn’t due to lower level limitation. The SPN for WWSAPI Negotiate client is derived from the hostname in the endpoint address. A result of the limitation is that a WWSAPI client may not be able to authenticate to a server that requires Negotiate authentication and whose SPN is different from the one derived from the hostname.

9. Both WWSAPI and WCF support multiple authentication schemes on the client side, but a WWSAPI client can only have one credential for all the schemes whereas WCF client can have different credentials for Basic, Digest and NTLM/Negotiate.

10. WWSAPI client always tries to do pre-authentication for performance gain for Basic and Negotiate (not for Digest/NTLM/Passport due to protocol constraints), whereas WCF client only does that for Basic authentication.