Silverlight 4 – Credentials, we’ve got it!

image I’ve been writing on Credentials in context of Silverlight for some time now. I didn’t like the options that were available to secure services and allow integration with Silverlight. For some history search for “credentials” on my blog.

July 2008 – Silverlight 2 – A series of articles on possible (failed) work-arounds for getting Credentials in Silverlight.

March 2009 – Silverlight 3 – WebClient, WebRequest and WCF calls using Credentials?

July 2009 – Silverlight 3 – Did we get support for Credentials?


In Silverlight 3 we already got the property Credentials on both WebClient and WebRequest. But sadly there still was no implementation available. After the launch of Silverlight 3 Tim Heuer already commented that the feature for credentials was being considered for future versions. Very nice, specially because we finally got it in Silverlight 4 (beta).

Support for Credentials has come to the ClientHttp stack, so you must make sure you register the http prefix to be using ClientHttp stack.

WebRequest.RegisterPrefix("http://", System.Net.Browser.WebRequestCreator.ClientHttp);

Besides that we also need to make sure that we set the property UseDefaultCredentials to false. Depending on whether you make use of a WebRequest or use a WebClient it will look like this.

request.UseDefaultCredentials = false;

WebRequest with Credentials

When you want do a simple webrequest to a url that’s secured using credentials this can look like this.

private void DoWebRequestWithCredentials()
    WebRequest.RegisterPrefix("http://", System.Net.Browser.WebRequestCreator.ClientHttp);
    var request = WebRequest.Create(new Uri("")) as HttpWebRequest;
    request.Credentials = new NetworkCredential("username", "password");
    request.UseDefaultCredentials = false;
    request.BeginGetResponse(ResponseCallBack, request);

private void ResponseCallBack(IAsyncResult ar)
    var request = ar.AsyncState as HttpWebRequest;
    var response = request.EndGetResponse(ar) as HttpWebResponse;
    using(var reader = new StreamReader(response.GetResponseStream()))
        string result = reader.ReadToEnd();

WebClient with Credentials

The WebClient has the same properties. Works same as providing credentials to a WebRequest, that’s really nice.

private void DoWebClientDownloadWithCredentials()
    WebRequest.RegisterPrefix("http://", System.Net.Browser.WebRequestCreator.ClientHttp);
    var client = new WebClient();
    client.Credentials = new NetworkCredential("username", "password");
    client.UseDefaultCredentials = false;
    client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(client_DownloadStringCompleted);
    client.DownloadStringAsync(new Uri(""));

private void client_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)
    string result = e.Result;


Sadly during tryout I didn’t find the credentials property to be part of ClientBase<T>. So for WCF we still have to wait some time to get credentials, or will it be part of final Silverlight 4?

What happens when you provide the wrong credentials?

I tried to make a webrequest with the wrong credentials. I expected an exception similar to “Unauthorized”, but instead I received a WebException with the message “The remote server returned an error: NotFound.”. I hope the team changes this to a more meaning full exception, because this makes debugging very hard.

  • Gravatar Nik December 3rd, 2009 at 16:30
    Excelent article. I copy/pasted your code, zipped the project and put it here: It gives me the following error:

    {System.Security.SecurityException: Security error.
    at System.Net.Browser.ClientHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
    at System.Net.Browser.ClientHttpWebRequest.c__DisplayClass5.b__4(Object sendState)
    at System.Net.Browser.AsyncHelper.c__DisplayClass2.b__0(Object sendState)}

    Then I copied the second example, put it at, it gives this exception:
    {System.Security.SecurityException: Security error.
    at System.Net.Browser.ClientHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
    at System.Net.Browser.ClientHttpWebRequest.c__DisplayClass5.b__4(Object sendState)
    at System.Net.Browser.AsyncHelper.c__DisplayClass2.b__0(Object sendState)}

    Any idea what I'm doing very different from what you're doing?


  • Gravatar Nik December 3rd, 2009 at 16:49
    To follow up with a quick PS, I thought perhaps it could be because was missing, but I've tried using my own server, and here it first gets clientaccesspolicy.xml, and then it fails with the TargetInvocationException that has the inner-exception:

    {System.Security.SecurityException ---&gt; System.Security.SecurityException: Security error.
    at System.Net.Browser.ClientHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
    at System.Net.Browser.ClientHttpWebRequest.c__DisplayClass5.b__4(Object sendState)
    at System.Net.Browser.AsyncHelper.c__DisplayClass2.b__0(Object sendState)
    --- End of inner exception stack trace ---
    at System.Net.Browser.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)
    at System.Net.Browser.ClientHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
    at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)
    at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)}


  • Gravatar Mark December 7th, 2009 at 17:29
    Why would we want this? I assume just when not using an Intranet? Does the username and password go across the network in plain text?
  • Gravatar Mark Monster December 7th, 2009 at 21:20
    Hi Mark,

    There can be a lot of different reasons why you would want to use this.

    For example:
    - Some web API's make use of Basic Authentication for the authentication part.
    - Your webservices are built on a completely different platform, and authentication is done using Basic Authentication.

    Yes it is send as plain text when you're connecting to a HTTP address. But remember this is exactly the same as logging in to a normal webapplication that's running on HTTP. If you want it secure you can make use of HTTPS.

    One of the examples I'm thinking of is like this: an Silverlight application that can run out of browser but communicates with a Sharepoint List over the Internet. In that case I would use Basic Authentication over an HTTPS connection to authenticate the user in Sharepoint.

    Does this explain it a little bit more Mark?
  • Gravatar Scott March 30th, 2010 at 17:46
    I am getting a SecurityException when attempting to use the HttpWebRequest to do a PUT or DELETE in SL4, I have a server side client access policy file at the root. I have tested the Service with Fiddler and everything works as expected. Is there still no support for these verbs in SL4?
    Looking to do PUT and DELETE's with credentials as well.

  • Gravatar Parvez August 24th, 2011 at 23:01
    Hi Scott,
    As mentioned above i have an SilverLight application that run out of browser but communicates with a SharePoint List over the Internet. And SharePoint site has windows authentication. How should i authenticate user progammatically (Custom silverlight login box with username/pwd/domain) and set the credentials.
  • Gravatar xaero November 7th, 2012 at 10:50
    Hi Marc,

    How do you upload file with ftp login and password in silverlight?

    I try this :

    string filePath = “”;
    string ftpUser = “login”;
    string ftpPassword = “password”;

    Uri ftpURI = new Uri(HtmlPage.Document.DocumentUri, String.Format(“FTPHandler.aspx?ftpFilepath={0}&user={1}&pwd={2}”, filePath, ftpUser, ftpPassword));
    WebClient Client = new WebClient();
    Client.Credentials = new System.Net.NetworkCredential(“login”, “password”);
    Client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(Client_DownloadStringCompleted);

    Thank you
  • Gravatar home care solutions May 28th, 2014 at 01:20
    Wow, that's what I was seeking for, what a stuff! present here at this webpage,
    thanks admin of this website.
  • Gravatar ray ban 3025 June 19th, 2014 at 03:49
    Ehemalige Bethlehem College-Student David Fellows hat sich in den Absturz, der drei Neuseel盲nder in Kenia, mit den Ermittlern sagte, er sei nicht der Fahrer get枚tet gel枚scht wurde.
  • Gravatar seo company July 2nd, 2014 at 09:46
    Fantastic beat ! I wish to apprentice while you amend your website, how could i
    subscribe for a blog site? The account helped me a acceptable
    deal. I had been a little bit acquainted of
    this your broadcast offered bright clear concept
  • If some one wants expert view on the topic of
    blogging and site-building then i propose him/her to go
    to see this web site, Keep up the good work.
  • Gravatar Super Discount Auto Glass July 26th, 2014 at 00:06
    Genuinely when someone doesn't know afterward its up to other users
    that they will assist, so here it takes place.
  • Gravatar and fitch August 7th, 2014 at 07:45
    Safety Brandon Meriweather is returning to the Washington Redskins.
  • Gravatar Trent August 15th, 2014 at 20:08
    I know this site offers quality dependent content and
    additional information, is there any other website which gives such information in quality?
  • Cheng Lin momma mother contains use returning Nagasawa set off. Don't be for that reason courteous goodness me! Normal water this little ones express, {nevertheless|although|nonetheless|however , k .
  • Gravatar activity tracker Watch Sleep August 31st, 2014 at 23:10
    I must thank you for the efforts you have put in penning this site.
    I'm hoping to see the same high-grade content from
    you in the future as well. In fact, your creative writing abilities has motivated me to get my very own blog now ;)