NTLM Authentication in Windows Communication Foundation


I created a simple ASMX web service (VS 2K5 Beta 2) that I wanted to access from a WCF client (September CTP).  The ASMX web service is running in the ASP.Net development web server, not IIS.  I created my simple WCF client by using Add Web Reference.  It turns out that, in this scenario, the default settings of the various pieces are in conflict.  Specifically, WCF uses anonymous authentication, whereas the ASP.Net development web server uses NTLM.  Instead of trying to make the development web server support anonymous authentication, I decided to change WCF to use NTLM authentication.  This makes a good excuse to talk about the WCF configuration files.


In other words, I wanted to do the WCF equivalent of the ASMX:


service.Credentials = System.Net.CredentialCache.DefaultCredentials;


The easy way to do this is to change the authenticationScheme attribute from “Anonymous” to “Ntlm” in the custom binding that you are using. (Add Web Reference, when using the WinFX VS Extensions, automatically creates custom binding configurations in the app.config file.)  Since I knew that I would be using ASMX and therefore basic Http, however, I thought it would be more instructive to create a new binding in the app.config file.


First, I added the following endpoint:


<endpoint address=http://localhost:5638/SimpleASMXWs/Service.asmx


binding=basicHttpBinding


bindingConfiguration=dmb1


contract=IndigoClient.localhost.ServiceSoap


configurationName=dmb/>


Then I added the following binding:


<basicHttpBinding>


   <binding configurationName=dmb1>


         <security mode=TransportCredentialOnly>


                        <transport clientCredentialType=Ntlm/>


         </security>


   </binding>


</basicHttpBinding>


Some key things to note, in no particular order:



  • endpoint configurationName (ex. “dmb”) is what you pass to your contructor when you create the Indigo proxy.
  • endpoint bindingConfiguration (ex. “dmb1”) tells which binding instance to use.  It must match binding configurationName.
  • If you omit bindingConfiguration, the default settings for the binding (ex. “basicHttpBinding”) will be used.
  • security mode of “None” always uses anonymous authentication, despite what the transport clientCredentialType is set to.
  • security mode of “Transport” requires https.
  • transport clientCredentialType of  “Windows” means to negotiate the authentication type with the web server.  The development web server doesn’t support this, so you have to use Ntlm.

-David

Comments (9)

  1. Yesterday, I talked about building&amp;nbsp;a simple Windows Communication Foundation client which communicated…

  2. Rekha says:

    I have created one wcf service with basic binding in iis5.1 windows xp

    but when i tried to run in 2003 server ,iis it is not running..and also when i tried to run it there in vs2005 it gives me the error that

    The HTTP request is unauthorized with client authentication scheme ‘Anonymous’. The authentication header received from the server was ‘NTLM’.

    how to solve this problem?

    one more dout there in 2003  they are using iis 5 is it support wcf?

  3. Rekha says:

    I have created one wcf service with basic binding in iis5.1 windows xp

    but when i tried to run in 2003 server ,iis it is not running..and also when i tried to run it there in vs2005 it gives me the error that

    The HTTP request is unauthorized with client authentication scheme ‘Anonymous’. The authentication header received from the server was ‘NTLM’.

    how to solve this problem?

    one more dout there in 2003  they are using iis 5 is it support wcf?

  4. Duncan says:

    Hi David,

    Trying to do the same thing.  Have just upgraded my Workflow from webservices to WCF.  I am using wsHttpContextBinding as this is a workflow, although wsHttpContextBinding inherits from wsHttpBinding (the method you use), you cannot use ‘TransportCredentialOnly’ it simply does not parse the enum value for this type.  Very frustrating as I need my client app to call the WCF .svc but I can’t use anonymous.

    Have you any ideas?  it seems google is not turning anything up for me on this one!

    -Duncan

  5. Chris Knoll says:

    Duncan,

     TransportCreditalOnly is only available in basicHttpBinding (not wsHttpBinding as you probably have by default).  Change the binding type and you’ll find that you can specify TransportCredentialOnly.

    -Chris

  6. Rohit Iyer says:

    Great work……….helped me big time……..

  7. Taras says:

    Hello,

    I stuck with the same issue trying to access old ASMX service from WCF client. But 3-rd party ASMX service requires HTTPs connection which is not allowed for configuration that you have presented. Maybe anybody knows how to fix it?

    Thanks,

    Taras

  8. David says:

    What about doing this for wsHttpBinding – i notice everyone (other sites) talking strickly using basichttpbinding; however, i want to use wshttpbinding. Anyone have (well defined) instructions on how one would do this? Tanks –

  9. Neven says:

    Thanks, i added this section and it worked fine

    <security mode="TransportCredentialOnly">

                           <transport clientCredentialType="Ntlm"/>

            </security>

    Thanks,