WCF

How to Enable Windows and NTLM  Authentication on WCF Service

Objective

This document will explain various combinations of IIS and WCF Ntlm/Windows authentication settings.

What is difference between NTLM and WINDOWS authentication in WCF?

Windows authentication = authentication in NTLM + authentication in Active Directory
NTLM authentication = authentication in only NTLM

IIS configuration

For all scenario IIS is configured for Windows authentication. What I mean is Windows Authentication is enabled and all other authentication is disabled.

Navigate to below path to open ApplicationHost.Config file of IIS.

C:\Windows\System32\inetsrv\config\applicationHost.config

Binding used in WCF service

For all scenario basicHttpBinding being used for WCF service.

Scenario #1

Default setting for IIS Applicationhost.Config is

<windowsAuthentication enabled="false">
                    <providers>
                        <add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </windowsAuthentication>

If IIS APP.Config file is having default setting, then we can have any authentication for WCF service corresponding IIS configured; WCF service will run as expected without any error.

Note: SharePoint is running as expected

Browsers Behavior with default settings

  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate

    image1.gif
     
  • Safari 4.0.4 is asking user to authenticate

    image2.gif
Scenario #2

If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for Kerberos then we have to modify service with Windows authentication.

<windowsAuthentication enabled="true">
                    <providers>
                        <add value="Negotiate" />
                        <!--<add value="NTLM" />-->
                    </providers>
                </windowsAuthentication>

WCF configuration setting for Windows authentication should be

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>

Note: SharePoint is running as expected

Browsers Behavior with default settings
  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate

    image3.gif
     
  • Safari 4.0.4 is asking user to authenticate
Scenario #3

If IIS Applicationhost.Config File setting has been modified as below, where forcefully Windows authentication is enabled for NTLM

<windowsAuthentication enabled="true">
                    <providers>
                        <!--<add value="Negotiate" />-->
                    </providers>
 </windowsAuthentication>

And we go with Windows authentication for the service, we will get below error

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Windows"/>
          </security>
        </binding>
      </basicHttpBinding>

image3.5.gif

So to remove above error, WCF configuration setting for should be modified for the NTLM authentication.

<basicHttpBinding>
        <binding name="BasicHttpBinding">
          <security mode ="TransportCredentialOnly">
            <transport clientCredentialType ="Ntlm"/>
          </security>
        </binding>
      </basicHttpBinding>

Note: SharePoint is running as expected

Browsers Behavior with default settings
  • IE 7.0 is not asking for authentication
  • Fire Fox 3.5.6 is asking user to authenticate 

    image4.gif
     
  • Safari 4.0.4 is asking user to authenticate

    image5.gif
Summary
Sl No IIS (Applicationhost.Config ) setting WCF (Web.config) setting
1 Default Ntlm and Windows Binding behavior
2 Windowauthentication = true and Value = Negotiate Windows authenticated Bidding behavior
3 Windowauthentication = true and Value = Ntlm Ntlm authenticated Binding behavior

So,
  1. If we have ApplicationHost.Config of IIS configured as default, we can have either of Ntlm or Windows authentications for WCF service.
  2. If we have ApplicationHost.Config of IIS configured as Ntlm, we can have only Ntlm authentication for WCF service.
  3. If we have ApplicationHost.Config of IIS configured as Windows, we can have only Windows authentication for WCF service. 

Up Next
    Ebook Download
    View all
    Learn
    View all
    Get Started

    You need to be a premium member to use this feature. To access it, you'll have to upgrade your membership.

    Become a sharper developer and jumpstart your career.

    Basic

    $0

    $

    . 00

    monthly

    For Basic members:

    • Standard Profile
    • Access learning courses
    • Access free e-books
    • 1x point
    Premium

    $20

    $

    . 00

    monthly

    For Premium members:

    • Earn 2x reward points
    • Premium profile with Verified check
    • Premium Avatar with status update
    • Learning courses
    • Unlimited Certifications and badges on profile
    • Unlimited Book downloads
    • Access to Premium content
    • Online Training
    • Unlimited PDF conversions and downloads
    • Professional Resume Writing
    • Interview Preparations Guide
    • 25 messages per month
    • 1 "Kodzu" avatar, basic
    Elite

    $45

    $

    . 00

    monthly

    For Elite members:

    • Bundle E-books
    • Access to all Learn Series
    • Unlimited Apply Jobs