WCF Service accepting both username/password and certificate credentials

On a recent project, I had the requirement to support both username/password and certificate login simultaneously. With .NET Framework 4.5, WCF allows you to specify multiple authentication schemes on a single endpoint using the new clientCredentialType=”InheritedFromHost”. Unfortunately, we used .NET Framework 4.0 and could not upgrade. So I had to create two endpoints with different addresses. Unfortunately, I couldn’t get that to work with basicHttpBinding, which we were using. I got error messages similar to “Security settings for this service require ‘Anonymous’ Authentication but it is not enabled for the IIS application that hosts this service”. So a solution that worked in this scenario was to switch to wsHttpBinding and message credentials:

  <system.serviceModel>
    <services>
      <service name="MyService">
        <endpoint address="Password" binding="wsHttpBinding" bindingConfiguration="Password"
          name="GetListingResponder" contract="IMyContract" />
        <endpoint address="Certificate" binding="wsHttpBinding" bindingConfiguration="Certificate"
          name="GetListingResponder" contract="IMyContract" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="Password">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Windows"/>
          </security>
        </binding>
        <binding name="Certificate">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>   
  </system.ServiceModel>

Security mode TransportWithMessageCredential means that SSL is used for encryption and message credential for authentication.

The client is also configured with two endpoints:

    <client>
      <endpoint address="https://localhost/MyService/MyService.svc/Password" binding="wsHttpBinding"
        bindingConfiguration="Password" contract="IMyContract"
        name="MyServicePassword" />
      <endpoint address="https://localhost/MyService/MyService.svc/Certificate" binding="wsHttpBinding"
        bindingConfiguration="Certificate" contract="IMyContract"
        name="MyServiceCertificate" />
    </client>

Which is used can be specified in the parameter to the client proxy constructor.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s