TransportWithMessageCredentials – I need to know who is knocking on my door.

The point to be noted here is that even though the security facts of comminication like integrity and confidentiality is taken care of by the transport we might not get enough information from the client as to “Who are you?”. Now for this case you need to add in some credentials about the clients.

It is exactly for this that the security mode of transport with message credentials might come in handy. Now when using SSL for security, mostly for IIS hosted apps you might require to send the user credentials, windows identity,username etc. This basically can be achieved by specifying the binding as follows.  

        <!– configure wsHttp binding with Transport security mode
                   and clientCredentialType as None –>
        <binding name=”Binding1″>
          <security mode=”TransportWithMessageCredential”>
            <message clientCredentialType=”Windows”/>
            <transport clientCredentialType=”None”/>

 The point is that there is no credentials required on the transport and the credentials can be send at the message level and WCF would actually identitify the windows credentials used and you can check the ServiceSecurityContext of the current operation context and obtain the identity of the user. 

The other points to be noted in this sample that shows transport security is that the certificate has to be setup on IIS. Please not that

  1. PermissiveCerticificatePolicy.Encat has to happen for the process to use the sample certs that are created by the scripts and you

  2. the same SSL certificate has to be set up.

I have modified the sample to show 2 scenarios, one with windows credentials and the other with a custom usename validator.


TransportWithMessageCredentials – UserName –

Comments (4)

  1. wjiaca says:

    Thank you for the sample code.

    I have a question: If I want to specify that some certain windows groups (defined in Active Directory) will be allowed to access the service, how do I do it in code and configuration file? which way do you suggest?

    Thanks again.


  2. Sajay says:

    The idea is to find the groups the particular claimset contains .. If you do not intend to you the membership provider and ASP.NET’s route then you probably need to check the SID’s in the claim set. You can just find the SID using the getSid.exe tools sysinternals previously had.

  3. wjiaca says:

    Thank you for your quick reply, could you please provide some samples or online resources so I can get more ideas on how to do?

    another question is: I used your sample in my local pc, works fine. then I made some changes on client, more specifically i use to the other domain user, I got error message "The caller was not authenticated by the service.", the client did not even reach the operation (for example: Add) in the service. In this case,assuming I have a fault contract defined in the service and I want to return the fault message to client, how do I get it done?

    Thanks again for your time.


  4. Chandresh Makwana says:

    Hi Sajay,

    Thanks for such valuable post. My case is a little different. That is about Silverlight 4.0 client consuming WCF services from out of browser mode with elevated permissions applied. Here I am struggling to consume the published WCF service, but always find an exception – NotFound, though I am getting the WSDL response through HTTPS URL in any browser. Also note that I have bound my website through a self signed SSL certificate created in IIS 7.5, with the help of this:…/WCFSSL.aspx. You can see my posted query here also…/458328.aspx Please let mek now if you have any solution. Thanks in advance.