NTLM Authentication in Windows Communication Foundation

  • Article

I created a simple ASMX web service (VS 2K5 Beta 2) that I wanted to access from a WCF client (September CTP).  The ASMX web service is running in the ASP.Net development web server, not IIS.  I created my simple WCF client by using Add Web Reference.  It turns out that, in this scenario, the default settings of the various pieces are in conflict.  Specifically, WCF uses anonymous authentication, whereas the ASP.Net development web server uses NTLM.  Instead of trying to make the development web server support anonymous authentication, I decided to change WCF to use NTLM authentication.  This makes a good excuse to talk about the WCF configuration files.

In other words, I wanted to do the WCF equivalent of the ASMX:

service.Credentials = System.Net.

CredentialCache.DefaultCredentials;

The easy way to do this is to change the authenticationScheme attribute from "Anonymous" to "Ntlm" in the custom binding that you are using. (Add Web Reference, when using the WinFX VS Extensions, automatically creates custom binding configurations in the app.config file.)  Since I knew that I would be using ASMX and therefore basic Http, however, I thought it would be more instructive to create a new binding in the app.config file.

First, I added the following endpoint:

<

endpoint address="https://localhost:5638/SimpleASMXWs/Service.asmx"

binding="basicHttpBinding"

bindingConfiguration="dmb1"

contract="IndigoClient.localhost.ServiceSoap"

configurationName="dmb"/>

Then I added the following binding:

<

basicHttpBinding>

<

binding configurationName="dmb1">

<

security mode="TransportCredentialOnly">

<

transport clientCredentialType="Ntlm"/>

</

security>

</

binding>

</

basicHttpBinding>

Some key things to note, in no particular order:

  • endpoint configurationName (ex. "dmb") is what you pass to your contructor when you create the Indigo proxy.
  • endpoint bindingConfiguration (ex. "dmb1") tells which binding instance to use. It must match binding configurationName.
  • If you omit bindingConfiguration, the default settings for the binding (ex. "basicHttpBinding") will be used.
  • security mode of "None" always uses anonymous authentication, despite what the transport clientCredentialType is set to.
  • security mode of "Transport" requires https.
  • transport clientCredentialType of "Windows" means to negotiate the authentication type with the web server. The development web server doesn't support this, so you have to use Ntlm.

-David