We all know it’s not possible yet to provide credentials when calling WCF Service. I’m telling yet, because I saw some signs that we might get support for credentials.
But what about now? Yes now, because Silverlight 3 isn’t release to the web yet.
Let’s think of all those applications that are running in the Intranet Zone for example. If they are built on the .NET environment, they often make use of Windows Authentication to authenticate the user. And after that make use of the roles assigned to the user to authorize the user.
But when we are working in the Silverlight environment we don’t really have the ability to make use of the User that’s already authentication against the Active Directory. But what about the services that Silverlight is using? Well that’s basically what this article is about.
Windows Authentication on WCF
A few days ago I read an article about Windows Authentication on WCF. This article explains the different steps to get Windows Authentication on WCF very well. But for the sake of this article I will summarize the steps that are required.
- Create your WCF Service
- Ensure authentication mode is Windows by adding <authentication mode="Windows" /> to the web.config
- Create the binding in the system.servicemodel element of the web.config just like this.
<bindings> <basicHttpBinding> <binding name="BasicHttpEndpointBinding"> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows" /> </security> </binding> </basicHttpBinding> </bindings> - Make sure the WCF service configuration makes use of the binding created in step 3 by adding the following to the endpoint element for your WCF service.
- The article mentions to disable anonymous access and enable Windows Authentcation. But to make it work on Windows Server 2008 I had to make sure anonymous access was enabled as well.
- If you want authentication to be automated you can do this easily by adding the url of your service to the local intranet zone.
- Just add a service reference like you would normally do from Silverlight.
- Create a very simple method to know if it’s working as expected. Something like:
[OperationContract] public string Hello() { // Add your operation implementation here return string.Format("Hello, {0} at {1}", HttpContext.Current.User.Identity.Name, DateTime.Now); }
<endpoint … bindingConfiguration="BasicHttpEndpointBinding" />
And yes that just works. And this enables more things as well like ask if the user is in a specific role. Basically all the things you’re used to have access to in a Windows Authenticated ASP.NET application are available.
I think at least part of the credits for this article should go to Shivprasad koirala who wrote the Code Project article I refer to.
Let’s hope the next version of Silverlight enables credentials so we can make use of different authentication scenario’s as well.
Ps. This article is cross posted on: Mark Monster’s blog and Silverlight Help.
Here is my code in my wcf service:
_
Public Function GetCurrentStaffMember() As StaffMembers
Dim userid As String = HttpContext.Current.User.Identity.Name.ToString.Substring(HttpContext.Current.User.Identity.Name.ToString.LastIndexOf("\") + 1)
'userid = System.Security.Principal.WindowsIdentity.GetCurrent.Name
'userid = userid.Substring(userid.LastIndexOf("\") + 1)
'Dim userid As String = "sb1715"
Dim staff As New StaffMembers
Dim data As New DataClass
Dim dr As DataRow = data.GetCurrentStaff(userid)
staff.BusinessUnitID = dr("BusinessUnitID")
staff.Staffid = dr("staffid")
staff.StaffName = dr("Staff")
staff.TeamID = dr("teamid")
Return staff
End Function
If you are using silverlight to do a double hop i.e. calls a service on a server that calls a database on another server then it won't work as you cannot force silverlight to use Kerboros - this is required for the second hop - as it uses ntlm.
Do you know if there is anyway round this? Have you tried this scenario before?
Thanks
Please be aware that this completely depends on the setup of the infrastructure. Standard NT networks won't let you reuse the token to the next server. You will need a Kerberos network for that. I don't know the exact details because I'm not a infrastructure specialist.
I understand the confusing. About the calling of a WCF service, we basically have no control of the exact credentials passed to this service.
Though Windows Authentication is about the user already being authenticated through the network (most of the time) and the token achieved by logon is used for Windows Authentication as well. There's no control in here from the code-level in Silverlight.
What I see quite often is that there are some 'public' services that require one specific set of credentials each time you call the service. This can't be used in conjunction with Silverlight. When you're working over the internet instead of intranet, it's even more a problem because you can't control the services you're calling.
The mex endpoint for downloading service proxies requires Anonymouse Authentication even when the Service is confgured for Winodws Authentication.
The reason you needed Anonymous Authentication was for this line in the config
endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"
The mex endpoint for downloading service proxies requires Anonymouse Authentication even when the Service is confgured for Winodws Authentication.
Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.
How can I fix it?
Hi Mark ,
I am new to silverlight , but with experience with other .Net Apps. I am interested to know, how did you implement the right hand side --continous moving stuff . I am looking for this approach for my application.
Well and good if you suggest or give me some code approach .
Thanks
Dim context As HttpContext = HttpContext.Current
If userid = "" Then
userid = context.Request.ServerVariables("AUTH_USER").Substring(context.Request.ServerVariables("AUTH_USER").LastIndexOf("\") + 1)
End If