WCF Service accepting both username/password and certificate credentials

On a recent project, I had the requirement to support both username/password and certificate login simultaneously. With .NET Framework 4.5, WCF allows you to specify multiple authentication schemes on a single endpoint using the new clientCredentialType=”InheritedFromHost”. Unfortunately, we used .NET Framework 4.0 and could not upgrade. So I had to create two endpoints with different addresses. Unfortunately, I couldn’t get that to work with basicHttpBinding, which we were using. I got error messages similar to “Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service”. So a solution that worked in this scenario was to switch to wsHttpBinding and message credentials:

      <service name="MyService">
        <endpoint address="Password" binding="wsHttpBinding" bindingConfiguration="Password"
          name="GetListingResponder" contract="IMyContract" />
        <endpoint address="Certificate" binding="wsHttpBinding" bindingConfiguration="Certificate"
          name="GetListingResponder" contract="IMyContract" />
        <binding name="Password">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Windows"/>
        <binding name="Certificate">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate"/>

Security mode TransportWithMessageCredential means that SSL is used for encryption and message credential for authentication.

The client is also configured with two endpoints:

      <endpoint address="https://localhost/MyService/MyService.svc/Password" binding="wsHttpBinding"
        bindingConfiguration="Password" contract="IMyContract"
        name="MyServicePassword" />
      <endpoint address="https://localhost/MyService/MyService.svc/Certificate" binding="wsHttpBinding"
        bindingConfiguration="Certificate" contract="IMyContract"
        name="MyServiceCertificate" />

Which is used can be specified in the parameter to the client proxy constructor.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.