Transport Security with Windows Authentication

 

The following scenario shows a Windows Communication Foundation (WCF) client and service secured by Windows security. For more information about programming, see How to: Secure a Service with Windows Credentials.

An intranet Web service displays human resources information. The client is a Windows Form application. The application is deployed in a domain with a Kerberos controller securing the domain.

Transport security with Windows authentication

CharacteristicDescription
Security ModeTransport
InteroperabilityWCF only
Authentication (Server)

Authentication (Client)
Yes (using Windows integrated authentication)

Yes (using Windows integrated authentication)
IntegrityYes
ConfidentialityYes
TransportNET.TCP
BindingNetTcpBinding

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone service using the code with no configuration.

  • Create a service using the supplied configuration, but do not define any endpoints.

Code

The following code shows how to create a service endpoint that uses a Windows security.

            // Create the binding.
            NetTcpBinding binding = new NetTcpBinding();
            binding.Security.Mode = SecurityMode.Transport;
            binding.Security.Transport.ClientCredentialType =
                TcpClientCredentialType.Windows;

            // Create the URI for the endpoint.
            Uri netTcpUri = new Uri("net.tcp://localhost:8008/Calculator");

            // Create the service host and add an endpoint.
            ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), netTcpUri);
            myServiceHost.AddServiceEndpoint(typeof(ServiceModel.ICalculator), binding, "");

            // Open the service.
            myServiceHost.Open();
            Console.WriteLine("Listening...");
            Console.ReadLine();

            // Close the service.
            myServiceHost.Close();

Configuration

The following configuration can be used instead of the code to set up the service endpoint:

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <system.serviceModel>  
    <behaviors />  
    <services>  
      <service behaviorConfiguration="" name="ServiceModel.Calculator">  
        <endpoint address="net.tcp://localhost:8008/Calculator"   
                  binding="netTcpBinding"  
          bindingConfiguration="WindowsClientOverTcp"   
                  name="WindowsClientOverTcp"  
                  contract="ServiceModel.ICalculator" />  
      </service>  
    </services>  
    <bindings>  
      <netTcpBinding>  
        <binding name="WindowsClientOverTcp">  
          <security mode="Transport">  
            <transport clientCredentialType="Windows" />  
          </security>  
        </binding>  
      </netTcpBinding>  
    </bindings>  
    <client />  
  </system.serviceModel>  
</configuration>  

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone client using the code (and client code).

  • Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:

                CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");
    

Code

The following code creates the client. The binding is configured to use the Transport mode security, with the TCP transport, with the client credential type set to Windows.

            // Create the binding.
            NetTcpBinding myBinding = new NetTcpBinding();
            myBinding.Security.Mode = SecurityMode.Transport;
            myBinding.Security.Transport.ClientCredentialType =
                TcpClientCredentialType.Windows;

            // Create the endpoint address.
            EndpointAddress myEndpointAddress = new
                EndpointAddress("net.tcp://localhost:8008/Calculator");

            // Create the client. The code for the calculator client 
            // is not shown here. See the sample applications
            // for examples of the calculator code.	
            CalculatorClient cc =
                new CalculatorClient(myBinding, myEndpointAddress);
            try
            {
                cc.Open();

                // Begin using the client.
                Console.WriteLine(cc.Add(100, 11));
                Console.ReadLine();

                // Close the client.
                cc.Close();
            }

Configuration

The following configuration can be used instead of the code to create the client.

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <system.serviceModel>  
    <bindings>  
      <netTcpBinding>  
        <binding name="NetTcpBinding_ICalculator" >  
          <security mode="Transport">  
            <transport clientCredentialType="Windows" />  
          </security>  
        </binding>  
      </netTcpBinding>  
    </bindings>  
    <client>  
      <endpoint address="net.tcp://localhost:8008/Calculator"   
                binding="netTcpBinding"            
                bindingConfiguration="NetTcpBinding_ICalculator"   
                contract="ICalculator"  
                name="NetTcpBinding_ICalculator">  
      </endpoint>  
    </client>  
  </system.serviceModel>  
</configuration>  

Security Overview
How to: Secure a Service with Windows Credentials
Security Model for Windows Server App Fabric

Show: