Menu
It is possible to use 2 types of authentications: windows and Username in wcf, using Message security Mode and certificate to authenticate. My UserName authentication cfg/code looks:
Server cfg:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="cn=cool" storeName="TrustedPeople" storeLocation="CurrentUser" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Util.CustomUserNameValidator, Util" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior" name="Service">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="MessageAndUserName" name="SecuredByTransportEndpoint" contract="IService"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="MessageAndUserName">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client/>
</system.serviceModel>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Client cfg:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="LocalCertValidation">
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService" >
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:48097/WCFServer/Service.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="ServiceReference1.IService"
name="WSHttpBinding_IService" behaviorConfiguration="LocalCertValidation">
<identity>
<dns value ="cool" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
What to change, server to know windows identity that access it?
886
Interesting question! If you really need to have a mix of authentication, you could try having transport set as one authentication type, and message as the other. I have no idea if this would work in practice, but it seems reasonable given that you can configure them separately :)
You could see if you can set something similar to the below for your binding to pick up the windows credentials (wsHttpBinding can handle windows credentials).
<security mode="Transport">
<transport clientCredentialType="Whatever your authentication method is" />
<message clientCredentialType="Windows" />
</security>
If you try it, let me know if it works!
EDIT:
Oh, according to the documentation it is possible to do mixed authentication. You have to set the mode to "Mixed", so the config might look something like this:
<security mode="mixed">
<transport clientCredentialType="Whatever your authentication method is" />
<message clientCredentialType="Windows" />
</security>
From the documentation:
Mixed security. Mixed security gives you the best of both worlds: transport security ensures the integrity and confidentiality of the messages, while the user credentials and claims are encapsulated in every message as in message security. This allows you to use a variety of user credentials that are not possible with strict transport security mechanisms, and to leverage transport security’s performance.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
