Export (0) Print
Expand All

MessageSecurityOverHttp.NegotiateServiceCredential Property

Gets or sets a value that indicates whether the service credential is provisioned at the client out of band or is obtained from the service through a process of negotiation.

Namespace:  System.ServiceModel
Assembly:  System.ServiceModel (in System.ServiceModel.dll)

public bool NegotiateServiceCredential { get; set; }

Property Value

Type: System.Boolean
true if service credential is obtained through a process of negotiation; otherwise, false. The default is true.

Setting this property to true, requires WS-Trust and WS-SecureConversation to be supported by the client and the service. Setting this property to false does not require WS-Trust or WS-SecureConversation to be supported.

For Anonymous, Username or Certificate client credential types, setting this property to false implies that the service certificate must be available at the client out of band and that the client must specify the service's certificate to use.

In the case of Windows credentials, setting this property to false causes an authentication based on KerberosToken. This requires that the client and service be part of a Kerberos domain. This mode is interoperable with SOAP stacks that implement the Kerberos token profile from OASIS. Setting this property to true causes a SOAP negotiation that tunnels SPNego exchange over SOAP messages. This mode is not interoperable.

This property indicates whether the service credential is negotiated automatically between the client and the service. If this property is true, then such negotiation occurs. If this property is false, then the service credentials must be specified at the client before communication with the service can occur.

If this property is set to false, and the binding is configured to use Windows as a client credential type, the service account must be associated with a Service Principal Name (SPN). To do this, run the service under the NETWORK SERVICE account, or LOCAL SYSTEM account. Alternatively, use the SetSpn.exe tool to create an SPN for the service account. In either case, the client must use the correct SPN in the <servicePrincipalName> element, or by using the EndpointAddress constructor. For more information, see Service Identity and Authentication.

The following code shows how to access and set this property.

WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
    MessageCredentialType.UserName;
binding.Security.Message.NegotiateServiceCredential = false;

CalculatorClient CalculatorClient = new CalculatorClient("myBinding");
CalculatorClient.ClientCredentials.ServiceCertificate.
    SetDefaultCertificate("Al", StoreLocation.CurrentUser, StoreName.My);

.NET Framework

Supported in: 4.5.2, 4.5.1, 4.5, 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Show:
© 2014 Microsoft